Bug 1949560 (CVE-2020-36322)
| Summary: | CVE-2020-36322 kernel: fuse: fuse_do_getattr() calls make_bad_inode() in inappropriate situations | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acaringi, adscvr, airlied, alciregi, allarkin, bdettelb, bhu, blc, bmasney, brdeoliv, bskeggs, chwhite, crwood, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, jarodwilson, jeremy, jforbes, jglisse, jlelli, jonathan, josef, jpazdziora, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mlangsdo, nmurray, ptalbert, qzhao, rkeshri, rvrbovsk, steved, tomckay, walters, wcosta, williams |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Linux kernel 5.11-rc1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A denial of service flaw was found in fuse_do_getattr in fs/fuse/dir.c in the kernel side of the FUSE filesystem in the Linux kernel. A local user could use this flaw to crash the system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 20:38:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1906908, 1949561, 1952046, 1952047, 1952048, 1953500, 1953501, 1953502, 1953503, 2015843, 2015976 | ||
| Bug Blocks: | 1949562 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-04-14 14:38:00 UTC
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1949561] This was fixed for Fedora with the 5.10.6 stable kernel updates. Mitigation: As the FUSE module will be auto-loaded when required, its use can be disabled by preventing the module from loading with the following instructions: # echo "install fuse /bin/true" >> /etc/modprobe.d/disable-fuse.conf The system will need to be restarted if the FUSE modules are loaded. In most circumstances, the CIFS kernel modules will be unable to be unloaded while the FUSE filesystems are in use. If the system requires this module to work correctly, this mitigation may not be suitable. If you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services. External References: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5d069dbe8aaf2a197142558b6fb2978189ba3454 Statement: This issue affected Linux kernel versions as shipped with Red Hat Enterprise Linux from 8.3 and prior the versions. RHEL 8.4 and later versions are not affected. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1578 https://access.redhat.com/errata/RHSA-2021:1578 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-36322 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0078 https://access.redhat.com/errata/RHSA-2022:0078 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0072 https://access.redhat.com/errata/RHSA-2022:0072 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:0063 https://access.redhat.com/errata/RHSA-2022:0063 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:0065 https://access.redhat.com/errata/RHSA-2022:0065 |