Bug 1707796 (CVE-2018-20836) - CVE-2018-20836 kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free
Summary: CVE-2018-20836 kernel: race condition in smp_task_timedout() and smp_task_don...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-20836
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1796288 1796289 1796290 1796291 1796292 1796293 1796294 1796295 1796296 1796297 1796298 1796299 1796300 1796301 1796302 1796304 1796305 1796311 1796316 1796700 1796701 1796702 1796703 1796704 1798260 1798261 1798262 1798263 1798264 1798265 1888694 1895462 1895463
Blocks: 1707797
TreeView+ depends on / blocked
 
Reported: 2019-05-08 11:43 UTC by msiddiqu
Modified: 2024-03-25 15:17 UTC (History)
37 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel’s implementation of the SAS expander subsystem, where a race condition exists in the smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c. An attacker could abuse this flaw to corrupt memory and escalate privileges.
Clone Of:
Environment:
Last Closed: 2020-09-29 21:57:50 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:4416 0 None None None 2020-10-29 15:09:01 UTC
Red Hat Product Errata RHBA-2020:4417 0 None None None 2020-10-29 15:07:35 UTC
Red Hat Product Errata RHBA-2020:4418 0 None None None 2020-10-29 15:12:55 UTC
Red Hat Product Errata RHBA-2020:4419 0 None None None 2020-10-29 15:11:48 UTC
Red Hat Product Errata RHBA-2020:4420 0 None None None 2020-10-29 15:50:34 UTC
Red Hat Product Errata RHSA-2020:4060 0 None None None 2020-09-29 20:51:04 UTC
Red Hat Product Errata RHSA-2020:4062 0 None None None 2020-09-29 18:57:41 UTC
Red Hat Product Errata RHSA-2020:5656 0 None None None 2020-12-22 09:31:42 UTC
Red Hat Product Errata RHSA-2021:0019 0 None None None 2021-01-05 10:20:30 UTC

Description msiddiqu 2019-05-08 11:43:43 UTC
An issue was discovered in the Linux kernels implementation of SAS expander functionality. A race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c could allow an attacker who is able to issue SAS commands to create a conditon where it could be manipulated into a use-after-free scenario allowing for memory corruption or possibly escalate privileges.

Upstream patch:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b90cd6f2b905905fb42671009dc0e27c310a16ae
https://github.com/torvalds/linux/commit/b90cd6f2b905905fb42671009dc0e27c310a16ae

Comment 18 errata-xmlrpc 2020-09-29 18:57:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4062 https://access.redhat.com/errata/RHSA-2020:4062

Comment 19 errata-xmlrpc 2020-09-29 20:51:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4060 https://access.redhat.com/errata/RHSA-2020:4060

Comment 20 Product Security DevOps Team 2020-09-29 21:57:50 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-20836

Comment 38 errata-xmlrpc 2020-12-22 09:31:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:5656 https://access.redhat.com/errata/RHSA-2020:5656

Comment 40 errata-xmlrpc 2021-01-05 10:20:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:0019 https://access.redhat.com/errata/RHSA-2021:0019


Note You need to log in before you can comment on or make changes to this bug.