Bug 1974319 (CVE-2020-36385)

Summary: CVE-2020-36385 kernel: use-after-free in drivers/infiniband/core/ucma.c ctx use-after-free
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, asavkov, bhu, blc, brdeoliv, bskeggs, chwhite, dblechte, dfediuck, dhoward, dvlasenk, eedri, fhrbata, fpacheco, hdegoede, hkrzesin, honli, jarod, jarodwilson, jeremy, jforbes, jlelli, joe.lawrence, jonathan, josef, jpoimboe, jshortt, jstancek, jthierry, jwboyer, kcarcia, kernel-maint, kernel-mgr, kpatch-maint, lgoncalv, linville, masami256, mchehab, mgoldboi, michal.skrivanek, mlangsdo, mvanderw, nmurray, nobody, ptalbert, qzhao, rhandlin, rvrbovsk, sbonazzo, sherold, steved, swood, walters, wcosta, williams, wmealing, ycote, yozone, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.10 Doc Type: If docs needed, set a value
Doc Text:
An issue was discovered in the Linux kernels Userspace Connection Manager Access for RDMA. This could allow a local attacker to crash the system, corrupt memory or escalate privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-26 08:08:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1978244, 1978062, 1978063, 1978064, 1978065, 1978066, 1978067, 1978068, 1978069, 1978070, 1978071, 1978072, 1978073, 1978074, 1978075, 1978077, 1978108, 1978243, 1978245, 1978246, 1978519, 1981701, 1981702, 1981703, 1981704, 1981705, 1981706, 1982040, 1982041    
Bug Blocks: 1974320    

Description Marian Rehak 2021-06-21 11:17:56 UTC 
An issue was discovered in the Linux kernels  Userspace Connection Manager Access for RDMA.  The UCMA has a use-after-free condition, when the end of ctx is reached via the ctx_list in some  situations in ucma_migrate_id where ucma_close is called.  This could allow a local attacker to crash the system when using a crafted attack.


External Reference:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f5449e74802c1112dea984aec8af7a33c4516af1
Comment 3 Wade Mealing 2021-07-01 05:39:41 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1978069]
Comment 8 Justin M. Forbes 2021-07-01 13:47:54 UTC 
This was fixed for Fedora with the 5.10.x kernel rebases.
Comment 15 Wade Mealing 2021-07-14 04:47:58 UTC 
Trackers made.
Comment 17 errata-xmlrpc 2021-10-26 07:38:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2021:3987 https://access.redhat.com/errata/RHSA-2021:3987
Comment 18 Product Security DevOps Team 2021-10-26 08:08:01 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-36385
Comment 19 errata-xmlrpc 2021-11-02 08:42:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4056 https://access.redhat.com/errata/RHSA-2021:4056
Comment 20 errata-xmlrpc 2021-11-02 09:52:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4088 https://access.redhat.com/errata/RHSA-2021:4088
Comment 21 errata-xmlrpc 2021-11-03 16:12:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4122 https://access.redhat.com/errata/RHSA-2021:4122
Comment 22 errata-xmlrpc 2021-11-10 09:11:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:4597 https://access.redhat.com/errata/RHSA-2021:4597
Comment 23 errata-xmlrpc 2021-11-16 08:10:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:4687 https://access.redhat.com/errata/RHSA-2021:4687
Comment 24 errata-xmlrpc 2021-11-16 10:47:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support

Via RHSA-2021:4692 https://access.redhat.com/errata/RHSA-2021:4692
Comment 25 errata-xmlrpc 2021-11-23 10:57:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2021:4768 https://access.redhat.com/errata/RHSA-2021:4768
Comment 26 errata-xmlrpc 2021-11-23 12:45:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2021:4770 https://access.redhat.com/errata/RHSA-2021:4770
Comment 27 errata-xmlrpc 2021-11-23 14:33:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions

Via RHSA-2021:4773 https://access.redhat.com/errata/RHSA-2021:4773
Comment 28 errata-xmlrpc 2021-11-23 15:09:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2021:4774 https://access.redhat.com/errata/RHSA-2021:4774
Comment 29 errata-xmlrpc 2021-11-23 15:56:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:4798 https://access.redhat.com/errata/RHSA-2021:4798
Comment 31 errata-xmlrpc 2021-11-23 17:13:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:4777 https://access.redhat.com/errata/RHSA-2021:4777
Comment 32 errata-xmlrpc 2021-11-23 17:13:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:4779 https://access.redhat.com/errata/RHSA-2021:4779
Comment 33 errata-xmlrpc 2021-11-30 14:23:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:4859 https://access.redhat.com/errata/RHSA-2021:4859
Comment 34 errata-xmlrpc 2021-11-30 15:36:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:4875 https://access.redhat.com/errata/RHSA-2021:4875
Comment 35 errata-xmlrpc 2021-11-30 15:52:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:4871 https://access.redhat.com/errata/RHSA-2021:4871
Comment 36 errata-xmlrpc 2021-12-07 08:32:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions

Via RHSA-2021:4971 https://access.redhat.com/errata/RHSA-2021:4971
Comment 37 errata-xmlrpc 2021-12-08 18:28:54 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2021:5035 https://access.redhat.com/errata/RHSA-2021:5035
Comment 38 errata-xmlrpc 2022-01-18 08:47:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2022:0157 https://access.redhat.com/errata/RHSA-2022:0157