Bug 1738705 (CVE-2018-20856) - CVE-2018-20856 kernel: Use-after-free in __blk_drain_queue() function in block/blk-core.c
Summary: CVE-2018-20856 kernel: Use-after-free in __blk_drain_queue() function in bloc...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-20856
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1738706 1739326 1739327 1739328 1739329 1739330 1753285 1781349 1781704 1781705 1781720 1781721 1781724 1791872 1791874 1791876 1791877
Blocks: 1738707
TreeView+ depends on / blocked
 
Reported: 2019-08-07 22:18 UTC by Pedro Sampaio
Modified: 2021-02-16 21:31 UTC (History)
51 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-10-16 06:51:20 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3176 0 None None None 2019-10-22 14:07:15 UTC
Red Hat Product Errata RHBA-2019:3184 0 None None None 2019-10-23 19:19:44 UTC
Red Hat Product Errata RHBA-2019:3185 0 None None None 2019-10-23 19:19:52 UTC
Red Hat Product Errata RHBA-2019:3288 0 None None None 2019-10-31 16:53:08 UTC
Red Hat Product Errata RHBA-2019:3879 0 None None None 2019-11-14 08:04:39 UTC
Red Hat Product Errata RHBA-2019:3880 0 None None None 2019-11-14 08:14:49 UTC
Red Hat Product Errata RHSA-2019:3055 0 None None None 2019-10-15 17:46:11 UTC
Red Hat Product Errata RHSA-2019:3076 0 None None None 2019-10-15 17:48:47 UTC
Red Hat Product Errata RHSA-2019:3089 0 None None None 2019-10-16 07:57:12 UTC
Red Hat Product Errata RHSA-2019:3217 0 None None None 2019-10-29 12:55:48 UTC
Red Hat Product Errata RHSA-2020:0100 0 None None None 2020-01-14 08:04:55 UTC
Red Hat Product Errata RHSA-2020:0103 0 None None None 2020-01-14 15:53:29 UTC
Red Hat Product Errata RHSA-2020:0543 0 None None None 2020-02-18 14:43:43 UTC
Red Hat Product Errata RHSA-2020:0664 0 None None None 2020-03-03 15:17:46 UTC
Red Hat Product Errata RHSA-2020:0698 0 None None None 2020-03-03 16:15:34 UTC

Description Pedro Sampaio 2019-08-07 22:18:16 UTC 
A flaw was found in the Linux kernels block driver implementation where a use-after-free condition could be triggered while draining the outstanding command queue in the systems block device subsystem.

A patient local attacker can use this flaw to corrupt memory, possibly crashing the system and possibly leading to privilege escalation.

https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.7
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=54648cf1ec2d7f4b6a71767799c45676a138ca24
https://github.com/torvalds/linux/commit/54648cf1ec2d7f4b6a71767799c45676a138ca24
Comment 1 Pedro Sampaio 2019-08-07 22:20:48 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1738706]
Comment 4 Justin M. Forbes 2019-08-08 09:25:52 UTC 
This was fixed in Fedora with the 4.18.7 stable kernel update.
Comment 5 Wade Mealing 2019-08-09 01:22:49 UTC 
This flaw is rated as important due to possible memory corruption or additional flow on effects.
Comment 9 errata-xmlrpc 2019-10-15 17:46:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3055 https://access.redhat.com/errata/RHSA-2019:3055
Comment 10 errata-xmlrpc 2019-10-15 17:48:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3076 https://access.redhat.com/errata/RHSA-2019:3076
Comment 11 Product Security DevOps Team 2019-10-16 06:51:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-20856
Comment 12 errata-xmlrpc 2019-10-16 07:57:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3089 https://access.redhat.com/errata/RHSA-2019:3089
Comment 15 errata-xmlrpc 2019-10-29 12:55:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3217 https://access.redhat.com/errata/RHSA-2019:3217
Comment 23 errata-xmlrpc 2020-01-14 08:04:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2020:0100 https://access.redhat.com/errata/RHSA-2020:0100
Comment 24 errata-xmlrpc 2020-01-14 15:53:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:0103 https://access.redhat.com/errata/RHSA-2020:0103
Comment 25 errata-xmlrpc 2020-02-18 14:43:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2020:0543 https://access.redhat.com/errata/RHSA-2020:0543
Comment 26 errata-xmlrpc 2020-03-03 15:17:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:0664 https://access.redhat.com/errata/RHSA-2020:0664
Comment 27 errata-xmlrpc 2020-03-03 16:15:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:0698 https://access.redhat.com/errata/RHSA-2020:0698
Note You need to log in before you can comment on or make changes to this bug.