Bug 1842525 (CVE-2020-10757)

Summary: CVE-2020-10757 kernel: kernel: DAX hugepages not considered during mremap
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, airlied, aquini, bhu, blc, bmasney, brdeoliv, bskeggs, csvoboda, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, jmoyer, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, pmatouse, ptalbert, qzhao, rt-maint, rvrbovsk, security-response-team, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way mremap handled DAX Huge Pages. This flaw allows a local attacker with access to a DAX enabled storage to escalate their privileges on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-21 13:28:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1843429, 1843430, 1843431, 1843432, 1843433, 1843434, 1843435, 1843436, 1843437, 1843438, 1843439, 1843440, 1843441, 1843442, 1843443, 1843444, 1843445, 1843446, 1843447, 1843448, 1843883    
Bug Blocks: 1842526    

Description Pedro Sampaio 2020-06-01 13:11:58 UTC 
A flaw was found in the way mremap handled DAX hugepages. A local attacker could use this flaw to escalate their privileges on the system by being able to control PTEs and effectively creating physical to virtual mappings at will.
Comment 1 Petr Matousek 2020-06-03 09:54:57 UTC 
Acknowledgments:

Name: Fan Yang
Comment 10 Petr Matousek 2020-06-04 11:32:11 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1843883]
Comment 11 Petr Matousek 2020-06-08 14:43:15 UTC 
External References:

https://www.openwall.com/lists/oss-security/2020/06/04/4
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5bfea2d9b17f1034a68147a8b03b9789af5700f9
Comment 16 Petr Matousek 2020-06-23 10:57:02 UTC 
Statement:

This issue requires access to a DAX enabled storage.

This issue affects Red Hat Enterprise Linux 7 kernels starting with kernel-3.10.0-862, that is Red Hat Enterprise Linux 7.5 GA kernel. Red Hat Enterprise Linux 7 kernels prior to that version are not affected as they did not include the functionality that enabled this issue to be exploited.

Red Hat Product Security is aware of this issue. Updates will be released as they become available.
Comment 18 errata-xmlrpc 2020-07-21 11:05:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3010 https://access.redhat.com/errata/RHSA-2020:3010
Comment 19 errata-xmlrpc 2020-07-21 11:23:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3016 https://access.redhat.com/errata/RHSA-2020:3016
Comment 20 Product Security DevOps Team 2020-07-21 13:28:00 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10757
Comment 21 errata-xmlrpc 2020-07-21 14:32:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:3041 https://access.redhat.com/errata/RHSA-2020:3041
Comment 22 Chuck Svoboda 2020-07-21 15:33:26 UTC 
Why is RHEL7 not patched?  FWIW, OEL7 is patched.
Comment 23 errata-xmlrpc 2020-07-29 18:19:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3220 https://access.redhat.com/errata/RHSA-2020:3220
Comment 24 errata-xmlrpc 2020-07-29 18:19:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3221 https://access.redhat.com/errata/RHSA-2020:3221
Comment 25 errata-xmlrpc 2020-07-29 19:37:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:3222 https://access.redhat.com/errata/RHSA-2020:3222
Comment 26 errata-xmlrpc 2020-07-29 20:47:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:3226 https://access.redhat.com/errata/RHSA-2020:3226
Comment 29 errata-xmlrpc 2020-09-01 16:36:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:3598 https://access.redhat.com/errata/RHSA-2020:3598
Comment 30 Petr Matousek 2020-10-21 12:18:28 UTC 
Mitigation:

Do not use DAX enabled storage.