Bug 1835127 (CVE-2020-10742)
Summary: | CVE-2020-10742 kernel: NFS client crash due to index buffer overflow during Direct IO write causing kernel panic | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | acaringi, airlied, allarkin, bhu, blc, bmasney, brdeoliv, bskeggs, carnil, dhoward, dvlasenk, esammons, eshatokhin, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jaeshin, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, ptalbert, qzhao, rt-maint, rvrbovsk, steved, williams |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in the Linux kernel. An index buffer overflow during Direct IO write leading to the NFS client to crash. In some cases, a reach out of the index after one memory allocation by kmalloc will cause a kernel panic. The highest threat from this vulnerability is to data confidentiality and system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-09-29 22:00:54 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1848484, 1848485, 1848486, 1848487, 1824270, 1835128, 1839679, 1839680, 1839681 | ||
Bug Blocks: | 1827054 |
Description
Marian Rehak
2020-05-13 08:04:26 UTC
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1835128] Hi Marian, I'm trying to track this issue for Debian, and looked as well up https://bugzilla.redhat.com/show_bug.cgi?id=1824270. Do you have any additional information on this issue: Did it ever affected mainline/upstream or is the issue specific to the Red Hat kernel? Regards, Salvatore Hello Salvatore, This flaw is based on the bz you mentioned so there are no additional information apart from that as far as I know. I'm sorry I couldn't be of more help. Best regards. Marian Hi Marian, (In reply to Marian Rehak from comment #4) > Hello Salvatore, > > This flaw is based on the bz you mentioned so there are no additional > information apart from that as far as I know. I'm sorry I couldn't be of > more help. Okay thanks, I was hoping there was more already known as it mentioned an internal discussion for developing the kernel patches which then were specifically applied to the 3.10 version. I was not able to triggere the issue for instance in 4.19.118, and with only the available information I was suspecting it might be fixed in 3.11-rc1 upstream something related to 18aad3d552c7 ("NFSv4.1 Refactor nfs4_init_session and nfs4_init_channel_attrs") and/or 68bf05efb7fa ("nfs41: fix session fore channel negotiation") or maybe something completely else. This would be as well inline with the fact that a fix was only needed for RHEL7 with kernel-3.10.0-1140.el7? Thanks for taking time here to reply to my query. Regards, Salvatore In reply to comment #3: > Hi Marian, > > I'm trying to track this issue for Debian, and looked as well up > https://bugzilla.redhat.com/show_bug.cgi?id=1824270. Do you have any > additional information on this issue: Did it ever affected mainline/upstream > or is the issue specific to the Red Hat kernel? > > Regards, > Salvatore Hi Salvatore, Based on the info from engineering: "Upstream, nfs_direct_write_schedule_segment was removed in v3.16, and iovec has been transformed to iov_iter, so this is a RHEL-only patch." which is from our rhel-7 patch. Best Regards, Alexander Acknowledgments: Name: Jay Shin (Red Hat) This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4062 https://access.redhat.com/errata/RHSA-2020:4062 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4060 https://access.redhat.com/errata/RHSA-2020:4060 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10742 |