Bug 1847832 (CVE-2020-10781)

Summary: CVE-2020-10781 kernel: zram sysfs resource consumption
Product: [Other] Security Response Reporter: Wade Mealing <wmealing>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, bmasney, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mcressma, mjg59, mlangsdo, nmurray, ptalbert, qzhao, rt-maint, rvrbovsk, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Linux kernel 5.8-rc6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the ZRAM kernel module, where a user with a local account and the ability to read the /sys/class/zram-control/hot_add file can create ZRAM device nodes in the /dev/ directory. This read allocates kernel memory and is not accounted for a user that triggers the creation of that ZRAM device. With this vulnerability, continually reading the device may consume a large amount of system memory and cause the Out-of-Memory (OOM) killer to activate and terminate random userspace processes, possibly making the system inoperable.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-08 01:19:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1848258, 1848259, 1848260, 1848261, 1848262, 1850165    
Bug Blocks: 1847650    
Attachments:
Description Flags
Initial patch to change permissions on the file. none

Description Wade Mealing 2020-06-17 07:37:58 UTC
A user with a local account and the ability to read the /sys/class/zram-control/hot_add file which on each read will create a zram device node in the /dev/ directory.  This allocates kernel memory and is not allocated to a user.

Continually reading this file may consume a large amount of system memory and cause the system OOM killer to activate, terminating userspace processes possibly making the system inoperable.

Comment 2 Wade Mealing 2020-06-17 08:09:06 UTC
Created attachment 1697754 [details]
Initial patch to change permissions on the file.

Initial patch, not accepted upstream yet.

Comment 9 Wade Mealing 2020-06-18 04:47:39 UTC
Mitigation:

Changing permissions on the files within /sys will prevent regular users from being able to trigger this issue, however permissions changed within /sys do not persist between reboots and will need to be reapplied after each boot.

Comment 10 Wade Mealing 2020-06-18 06:07:46 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1848259]

Comment 13 Petr Matousek 2020-06-23 15:54:05 UTC
Acknowledgments:

Name: Luca Bruno (Red Hat)

Comment 14 Petr Matousek 2020-06-23 15:54:09 UTC
Statement:

This flaw is rated as having Low impact, because it is a denial of service only and requires the ZRAM kernel module to be loaded, which it is not the default, and oading kernel modules is a privileged operation.

Comment 17 Justin M. Forbes 2020-10-08 18:51:05 UTC
This was fixed for Fedora with the 5.7.10 stable kernel updates.