Bug 1802563 (CVE-2020-8647) - CVE-2020-8647 kernel: out-of-bounds read in in vc_do_resize function in drivers/tty/vt/vt.c
Summary: CVE-2020-8647 kernel: out-of-bounds read in in vc_do_resize function in drive...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-8647
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1802564 1817838 1817839 1817840 1817841 1817842 1818730 1818732 1818733 1818735
Blocks: 1802567
TreeView+ depends on / blocked
 
Reported: 2020-02-13 12:04 UTC by Dhananjay Arunesh
Modified: 2021-02-16 20:34 UTC (History)
46 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel’s virtual console resize functionality. An attacker with local access to virtual consoles can use the virtual console resizing code to gather kernel internal data structures.
Clone Of:
Environment:
Last Closed: 2020-09-29 21:59:51 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:4416 0 None None None 2020-10-29 15:10:09 UTC
Red Hat Product Errata RHBA-2020:4417 0 None None None 2020-10-29 15:08:40 UTC
Red Hat Product Errata RHBA-2020:4418 0 None None None 2020-10-29 15:14:06 UTC
Red Hat Product Errata RHBA-2020:4419 0 None None None 2020-10-29 15:12:31 UTC
Red Hat Product Errata RHBA-2020:4420 0 None None None 2020-10-29 15:51:26 UTC
Red Hat Product Errata RHSA-2020:4060 0 None None None 2020-09-29 20:53:17 UTC
Red Hat Product Errata RHSA-2020:4062 0 None None None 2020-09-29 18:59:16 UTC
Red Hat Product Errata RHSA-2020:4431 0 None None None 2020-11-04 00:50:35 UTC
Red Hat Product Errata RHSA-2020:4609 0 None None None 2020-11-04 02:22:44 UTC

Description Dhananjay Arunesh 2020-02-13 12:04:10 UTC
An out of bounds read vulnerability in the virtual console/virtual terminal resize functionality.  An attacker with a local account can use the resize functionality to possibly leak kernel internal information to the local console which may be captured for use in a further attack to increase the reliability and successfulness of the next attack.


Reference:
Kernel Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=206359
Proposed patch: https://lkml.org/lkml/2020/3/1/415

Comment 1 Dhananjay Arunesh 2020-02-13 12:04:57 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1802564]

Comment 2 Justin M. Forbes 2020-03-20 15:46:34 UTC
This issue was fixed for Fedora with the 5.5.9 stable kernel updates.

Comment 10 Wade Mealing 2020-03-30 01:41:45 UTC
Mitigation:

The attack vector can be significantly reduced by preventing users from being able to log into the local virtual console.

See the instructions on disabling local login here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pam_configuration_files , See the section on "pam_console" to deny users logging into the console.  This mechanism should work from el6 forward to current versions of Red Hat Enterprise Linux.

Comment 11 Petr Matousek 2020-04-03 04:52:00 UTC
Statement:

This flaw is rated as having Moderate impact because the information leak is limited.

Comment 12 errata-xmlrpc 2020-09-29 18:59:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4062 https://access.redhat.com/errata/RHSA-2020:4062

Comment 13 errata-xmlrpc 2020-09-29 20:53:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4060 https://access.redhat.com/errata/RHSA-2020:4060

Comment 14 Product Security DevOps Team 2020-09-29 21:59:51 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8647

Comment 30 errata-xmlrpc 2020-11-04 00:50:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4431 https://access.redhat.com/errata/RHSA-2020:4431

Comment 31 errata-xmlrpc 2020-11-04 02:22:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4609 https://access.redhat.com/errata/RHSA-2020:4609


Note You need to log in before you can comment on or make changes to this bug.