Bug 1920480 (CVE-2020-0466)

Summary: CVE-2020-0466 kernel: use after free in eventpoll.c may lead to escalation of privilege
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, asavkov, bhu, blc, bmasney, brdeoliv, bskeggs, chwhite, crwood, dhoward, dramseur, dvlasenk, eshatokhin, fhrbata, hannsj_uhl, hdegoede, hkrzesin, itamar, jarodwilson, jeremy, jforbes, jglisse, jhunter, jlelli, joe.lawrence, jonathan, josef, jpoimboe, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, kmitts, kpatch-maint, lgoncalv, linville, masami256, mchehab, mgala, mjudeiki, mlangsdo, nmurray, pmatouse, ptalbert, qzhao, rhandlin, rvrbovsk, steved, walters, williams, xzhou, ycote, yozone
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel-rt-3.10.0-1160.57.1.rt56.1198.el7 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. A logic error in eventpoll.c can cause a use-after-free, leading to a local escalation of privilege with no additional execution privileges. User interaction is not needed for exploitation. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-02-02 14:00:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1921706, 1920484, 1920773, 1920774, 1920775, 1920776, 1920777, 1920778, 1920779, 1920780, 1920781, 1920782, 1920783, 1920784, 1920785, 1921707, 2042756, 2042757, 2042758, 2042759, 2042760, 2042761, 2042762, 2042763, 2042764, 2042765, 2042766, 2044812    
Bug Blocks: 1920486    

Description Marian Rehak 2021-01-26 11:46:58 UTC 
In do_epoll_ctl and ep_loop_check_proc of eventpoll.c, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Reference:

 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a9ed4a6560b8562b7e2e2bed9527e88001f7b682
 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=52c479697c9b73f628140dcdfcd39ea302d05482
Comment 1 Marian Rehak 2021-01-26 11:50:28 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1920484]
Comment 2 Justin M. Forbes 2021-01-26 20:09:24 UTC 
This was fixed for Fedora with the 5.7.18 stable kernel updates.
Comment 6 Wade Mealing 2021-01-27 02:19:40 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 13 errata-xmlrpc 2021-04-06 13:58:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1081 https://access.redhat.com/errata/RHSA-2021:1081
Comment 14 errata-xmlrpc 2021-04-06 14:17:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1093 https://access.redhat.com/errata/RHSA-2021:1093
Comment 15 Product Security DevOps Team 2021-04-06 17:35:22 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-0466
Comment 16 errata-xmlrpc 2021-05-25 06:43:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:2099 https://access.redhat.com/errata/RHSA-2021:2099
Comment 17 errata-xmlrpc 2021-05-25 15:53:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:2106 https://access.redhat.com/errata/RHSA-2021:2106
Comment 18 errata-xmlrpc 2021-06-01 09:39:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2167 https://access.redhat.com/errata/RHSA-2021:2167
Comment 19 errata-xmlrpc 2021-06-01 16:03:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2190 https://access.redhat.com/errata/RHSA-2021:2190
Comment 20 errata-xmlrpc 2021-06-02 00:46:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2185 https://access.redhat.com/errata/RHSA-2021:2185
Comment 23 Product Security DevOps Team 2022-02-02 14:00:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-0466
Comment 24 errata-xmlrpc 2022-02-15 09:23:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2022:0529 https://access.redhat.com/errata/RHSA-2022:0529
Comment 25 errata-xmlrpc 2022-02-15 09:47:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions

Via RHSA-2022:0533 https://access.redhat.com/errata/RHSA-2022:0533
Comment 26 errata-xmlrpc 2022-02-15 10:37:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2022:0531 https://access.redhat.com/errata/RHSA-2022:0531
Comment 28 errata-xmlrpc 2022-02-22 09:12:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:0592 https://access.redhat.com/errata/RHSA-2022:0592
Comment 29 errata-xmlrpc 2022-02-22 16:57:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:0620 https://access.redhat.com/errata/RHSA-2022:0620
Comment 30 errata-xmlrpc 2022-02-22 17:00:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:0622 https://access.redhat.com/errata/RHSA-2022:0622
Comment 31 errata-xmlrpc 2022-03-01 12:44:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2022:0712 https://access.redhat.com/errata/RHSA-2022:0712
Comment 32 errata-xmlrpc 2022-03-01 12:47:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions

Via RHSA-2022:0718 https://access.redhat.com/errata/RHSA-2022:0718
Comment 33 errata-xmlrpc 2022-03-29 08:50:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support

Via RHSA-2022:1104 https://access.redhat.com/errata/RHSA-2022:1104
Comment 34 errata-xmlrpc 2022-04-19 16:11:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2022:1417 https://access.redhat.com/errata/RHSA-2022:1417