1805922 – (CVE-2020-8991) CVE-2020-8991 lvm2: memory leak in vg_lookup in daemons/lvmetad/lvmetad-core.c

Bug 1805922 (CVE-2020-8991) - CVE-2020-8991 lvm2: memory leak in vg_lookup in daemons/lvmetad/lvmetad-core.c

Summary: CVE-2020-8991 lvm2: memory leak in vg_lookup in daemons/lvmetad/lvmetad-core.c

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2020-8991
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1805925 1809324
Blocks:	1805924
TreeView+	depends on / blocked

Reported:	2020-02-21 17:31 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-11-01 17:40 UTC (History)
CC List:	15 users (show)
Fixed In Version:	lvm2-2.02-stable
Clone Of:
Environment:
Last Closed:	2021-11-01 17:40:24 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-02-21 17:31:38 UTC

vg_lookup in daemons/lvmetad/lvmetad-core.c in LVM2 2.02 mismanages memory, leading to an lvmetad memory leak, as demonstrated by running pvs.

Reference and upstream commit:
https://sourceware.org/git/?p=lvm2.git;a=commit;h=bcf9556b8fcd16ad8997f80cc92785f295c66701

Comment 1 Guilherme de Almeida Suckevicz 2020-02-21 17:32:44 UTC

Created lvm2 tracking bugs for this issue:

Affects: fedora-all [bug 1805925]

Comment 2 Alasdair Kergon 2020-02-24 14:25:24 UTC

Please can someone ask the person who granted the CVE to update the description to provide a detailed explanation of the vulnerability?

The current description does not tell me anything useful.

lvmetad is a non-critical optional system component that caches metadata to assist LVM commands run by the root user.

The daemon is not supposed to be network-accessible so what has been found that counts as 'AV:N' (network attack vector)?

Only local root users can communicate with it in its standard configuration, so what has been found that counts as PR:N (no privilege required)?

Without additional information to fill the gaps, then I believe the CVE classification for this bug was a mistake and should be withdrawn.

Comment 3 Alasdair Kergon 2020-02-24 16:08:41 UTC

I would challenge 'A:H' (high impact on availability) too.  The system's I/O flows through device-mapper not lvm2.  The role of lvm2 is to change the configuration of those device-mapper I/O flows and, as lvmetad is an optional caching layer within lvm2, you (and the system) are always free to kill or disable or bypass it with minimal impact.

Comment 4 Guilherme de Almeida Suckevicz 2020-02-26 20:06:15 UTC

I couldn't find who assigned this CVE, probably was Mitre itself by someone's request trough their web form.
The CVSS score was set by NVD and they assume the worst case scenario, after analysis our team can (and probably will) send a request for a rescore.
If you want to contest an already public CVE, you can contact Mitre using this link[1], and choose the "request an update", then "rejection" type.

[1]. https://cveform.mitre.org/

Comment 7 Marco Benatto 2020-03-03 13:08:49 UTC

Statement:

The lvm2 package as shipped with Red Hat Enterprise Linux 8 is not affected as it doesn't contains the affected component (lvmetad).

Comment 10 Alasdair Kergon 2020-03-03 22:34:07 UTC

(In reply to Guilherme de Almeida Suckevicz from comment #4)
> If you want to contest an already public CVE, you can contact Mitre using
> this link[1], and choose the "request an update", then "rejection" type.
> [1]. https://cveform.mitre.org/

I have submitted such a response.

Comment 12 Alasdair Kergon 2020-03-06 20:57:49 UTC

Mitre has marked it as disputed in response to my submissions:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8991

If anyone does possess information about why this should still count as a vulnerability, please make this known.

Note You need to log in before you can comment on or make changes to this bug.