Bug 1901709 (CVE-2020-27835)
| Summary: | CVE-2020-27835 kernel: child process is able to access parent mm through hfi dev file handle | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acaringi, adscvr, airlied, bhu, blc, bmasney, brdeoliv, bskeggs, dhoward, dvlasenk, fhrbata, hdegoede, hkrzesin, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mlangsdo, nmurray, ptalbert, qzhao, rvrbovsk, security-response-team, steved, walters, williams |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Linux kernel 5.10-rc6 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw use after free in the Linux kernel infiniband hfi1 driver was found in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 20:37:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1879586, 1906122, 1906123, 1906124, 1906125, 1906126, 1906127 | ||
| Bug Blocks: | 1887365 | ||
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1906122] This was fixed for Fedora with the 5.9.12 stable kernel updates. Statement: This flaw is rated as having a Moderate impact because the issue can only be triggered by an authorized local user with access to a system with specific hardware present. Mitigation: To mitigate this issue, prevent the module hfi1 from being loaded. Please see https://access.redhat.com/solutions/41278 for information on how to denylist a kernel module to prevent it from loading automatically. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1578 https://access.redhat.com/errata/RHSA-2021:1578 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1739 https://access.redhat.com/errata/RHSA-2021:1739 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-27835 |
A vulnerability was found in kernel, where Intel OPA Gen1 adapter" (CONFIG_INFINIBAND_HFI1) for Kernel versions after these two commits e0cf75deab81 ("IB/hfi1: Fix mm_struct use after free") 3faa3d9a308e ("IB/hfi1: Make use of mm consistent") , there is a potential problem where if a child process with access to the parents file handle calls an IOCTL or write or close, the value of the mm will be that of the parent, not the child process. This can lead to use-after-free security issue.