Bug 1849926 (CVE-2020-14416)

Summary: CVE-2020-14416 kernel: slcan : race over tty->disc_data can lead use-after-free
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, bmasney, dvlasenk, hdegoede, hkrzesin, ichavero, itamar, jarodwilson, jeremy, jforbes, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mjg59, mlangsdo, nmurray, pmatouse, ptalbert, qzhao, rkeshri, rt-maint, rvrbovsk, steved, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in slcan_write_wakeup in drivers/net/can/slcan.c in the serial CAN module slcan. A race condition occurs when communicating with can using slcan between the write (scheduling the transmit) and closing (flushing out any pending queues) the SLCAN channel. This flaw allows a local attacker with special user or root privileges to cause a denial of service or a kernel information leak. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1850402, 1850403, 1850404, 1850405, 1850406    
Bug Blocks: 1849927    

Description Marian Rehak 2020-06-23 08:09:12 UTC 
A use-after-free flaw was found in  slcan_write_wakeup in drivers/net/can/slcan.c in serial CAN module slcan. A race condition  (when a communicate with can using slcan) between write (Schedule the transmit) and closing (flushing out any pending queues) the SLCAN channel.  A local attacker with special user (or root) privilege can cause a denial of service (DoS) . This vulnerability could even lead to a kernel information leak threat.

A race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c.

Upstream Reference:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0ace17d56824165c7f4c68785d6b58971db954dd
Comment 8 RaTasha Tillery-Smith 2020-08-05 13:40:59 UTC 
Mitigation:

Mitigation for this issue is to skip loading the affected module 'slcan' and 'slip' onto the system until a fix is available. Using a blacklist mechanism will ensure the driver is not loaded at boot time and requires specific hardware (CANbus hardware), which is not in use on the system.
~~~
How do I blacklist a kernel module to prevent it from loading automatically?
https://access.redhat.com/solutions/41278
Comment 9 Rakesh 2020-08-27 06:28:08 UTC 
The "slcan" module is shipped by Red Hat from RHEL 7.3 onwards.
The "slcan" module can not be loaded on RHEL 7.2 and prior version.
"slcan" Utilities are missing in the lower version than  7.3.
 source for drivers/net/can/slcan.c or configuration CONFIG_CAN_SLCAN was not seen.
Can we say that RHEL 5 and 6 are unaffected by this flaw?