Bug 1876788 (CVE-2020-14390)

Summary: CVE-2020-14390 kernel: out-of-bounds write in fbcon_redraw_softback
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, bmasney, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mcressma, mjg59, mlangsdo, nmurray, ptalbert, qzhao, rt-maint, rvrbovsk, security-response-team, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Linux kernel 5.9-rc6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. When changing screen size, an out-of-bounds memory write can occur leading to memory corruption or a denial of service. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-07 11:16:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1879955, 1881438, 1881439, 1881440, 1881441, 1881442, 1881446, 1881447, 1881448, 1881449, 1881450    
Bug Blocks: 1876438    

Description msiddiqu 2020-09-08 07:43:51 UTC 
A vulnerability was found in Linux Kernel where the value of vc->vc_origin is not updated in time while invoking vc_do_resize, leading to out-of-bounds write in fbcon_redraw_softback.
Comment 2 Alex 2020-09-09 10:08:42 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 3 Alex 2020-09-09 10:26:28 UTC 
Acknowledgments:

Name: Yuan Ming (Tsinghua University)
Comment 4 Eric Christensen 2020-09-09 18:01:30 UTC 
Statement:

Due to this flaw requiring a local user to trigger by using frame buffer fbcon, the impact has been rated as Low.
Comment 6 msiddiqu 2020-09-16 11:26:03 UTC 
References: 
 
https://www.openwall.com/lists/oss-security/2020/09/15/2
https://seclists.org/oss-sec/2020/q3/174
Comment 7 msiddiqu 2020-09-17 12:41:47 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1879955]
Comment 8 Justin M. Forbes 2020-09-21 12:55:51 UTC 
This was fixed for Fedora with the 5.8.10 stable kernel updates.
Comment 23 Alex 2021-11-07 11:16:04 UTC 
Before closing, checked that for the rhel-9 fixed.