Bug 1884341 (CVE-2020-25221)

Summary: CVE-2020-25221 kernel: incorrect vsyscall page reference counting in get_gate_page function in mm/gup.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, bmasney, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mcressma, mjg59, mlangsdo, nmurray, ptalbert, qzhao, rt-maint, rvrbovsk, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the get_gate_page in mm/gup.c in the Linux kernel, where it allows privilege escalation due to incorrect reference counting (caused by gate page mishandling) of the struct page that backs the vsyscall page. The result is a refcount underflow. This flaw is triggered by any 64-bit process that can use ptrace() or process_vm_readv(). The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-20 08:21:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1884342    
Bug Blocks: 1884343    

Description Guilherme de Almeida Suckevicz 2020-10-01 18:00:34 UTC 
get_gate_page in mm/gup.c in the Linux kernel 5.7.x and 5.8.x before 5.8.7 allows privilege escalation because of incorrect reference counting (caused by gate page mishandling) of the struct page that backs the vsyscall page. The result is a refcount underflow. This can be triggered by any 64-bit process that can use ptrace() or process_vm_readv().


References:
https://www.openwall.com/lists/oss-security/2020/09/08/4
https://www.openwall.com/lists/oss-security/2020/09/10/4

Upstream patches:
https://git.kernel.org/linus/8891adc61dce2a8a41fc0c23262b681c3ec4b73a
https://git.kernel.org/linus/9fa2dd946743ae6f30dc4830da19147bf100a7f2
Comment 1 Guilherme de Almeida Suckevicz 2020-10-01 18:02:03 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1884342]
Comment 2 Justin M. Forbes 2020-10-02 12:33:43 UTC 
This was fixed for Fedora with the 5.8.7 stable kernel updates.
Comment 6 Alex 2020-10-08 21:18:28 UTC 
Mitigation:

The issue relevant starting from kernel v5.6 and possible to prevent the issue from triggering by booting with vsyscall=xonly or vsyscall=none.
Comment 7 Product Security DevOps Team 2020-10-20 08:21:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25221