Bug 1888726 (CVE-2020-25656)

Summary: CVE-2020-25656 kernel: use-after-free in read in vt_do_kdgkb_ioctl
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, bmasney, brdeoliv, bskeggs, dhoward, dramseur, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jhunter, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, kmitts, lgoncalv, linville, masami256, mchehab, mcressma, mgala, mjg59, mjudeiki, mlangsdo, nmurray, ptalbert, qzhao, rt-maint, rvrbovsk, security-response-team, steved, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.10-rc2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-16 19:19:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1896773, 1896774, 1896775, 1896776, 1896777, 1897134    
Bug Blocks: 1888621    

Description msiddiqu 2020-10-15 15:21:26 UTC 
A flaw was found in Linux Kernel, where a race in KDGKBSENT and KDSKBSENT leads to use-after-free read in vt_do_kdgkb_ioctl

References: 
 
https://groups.google.com/g/syzkaller-bugs/c/kZsmxkpq3UI/m/J35PFexWBgAJ?pli=1
Comment 1 msiddiqu 2020-10-19 04:37:37 UTC 
References:

https://www.openwall.com/lists/oss-security/2020/10/16/1
Comment 3 Alex 2020-11-11 13:30:18 UTC 
List of patches:

1. Older patches (already applied for 5.9 Kernel):
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/drivers/tty/vt/keyboard.c?id=6ca03f90527e499dd5e32d6522909e2ad390896b
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/drivers/tty/vt/keyboard.c?id=82e61c3909db51d91b9d3e2071557b6435018b80

2. Suggested patch for resolving issue:
https://lkml.org/lkml/2020/10/29/528
Comment 5 Alex 2020-11-11 14:13:51 UTC 
External References:

https://lkml.org/lkml/2020/10/29/528
https://lkml.org/lkml/2020/10/16/84
Comment 7 Petr Matousek 2020-11-12 12:11:09 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1897134]
Comment 8 Fedora Update System 2020-11-16 01:09:02 UTC 
FEDORA-2020-98ccae320c has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 9 Fedora Update System 2020-11-16 01:12:45 UTC 
FEDORA-2020-e211716d08 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 10 Alex 2021-02-10 16:42:10 UTC 
Statement:

This issue is rated as having Moderate impact because of the attack scenario limitation where only local user with access to VT console if at least CAP_SYS_TTY_CONFIG enabled can trigger this issue.
Comment 11 Alex 2021-02-10 16:58:14 UTC 
For triggering the bug, user needs privileges. At least "CAP_SYS_TTY_CONFIG" needs to be enabled, but this is not the only precondition.
As far as I know, there is no known way today for triggering this until CONFIG_KASAN enabled (that is parameter for runtime memory debugger and usually disabled for production systems).
Means that if parameter CONFIG_KASAN not enabled for the kernel (for rhel* by default disabled), then the bug happens silently (without kernel crash) since read use-after-free usually not easily triggerable.
Comment 12 errata-xmlrpc 2021-03-16 13:51:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0856 https://access.redhat.com/errata/RHSA-2021:0856
Comment 13 errata-xmlrpc 2021-03-16 13:52:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0857 https://access.redhat.com/errata/RHSA-2021:0857
Comment 14 Product Security DevOps Team 2021-03-16 19:19:06 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25656
Comment 15 errata-xmlrpc 2024-05-22 09:12:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2950 https://access.redhat.com/errata/RHSA-2024:2950
Comment 16 errata-xmlrpc 2024-05-22 09:48:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3138 https://access.redhat.com/errata/RHSA-2024:3138