There was a use-after-free problem seen due to a race condition between the release of ptp_clock and cdev at the time of resource deallocation. When a (high privileged) process allocates a ptp device file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed (a potential privilege escalation) by the user with administrator privilege, it can cause a denial of service (DoS) problem as the process wakes up to terminate and cleanup all attached files/resources. The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the inode. Refer: https://lore.kernel.org/linux-fsdevel/20191125125342.6189-1-vdronov@redhat.com/T/#u
Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1826223]
Statement: This issue is rated as having Low impact as there is a need for high privilege access to trigger this problem. This will need an access to /dev/ptpX which is privileged operation, also removing the module is needed (again, privileged operation).
Hi Rohit, It looks RHEL7 has fixed this issue in bug 1774657. RHEL8 has fixed it in bug 1787568. Should we close the RHEL7/8's CVE tracker bug 1817354, bug 1817355? Thanks Hangbin
This was fixed for Fedora with the 5.4.8 stable kernel updates.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4062 https://access.redhat.com/errata/RHSA-2020:4062
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4060 https://access.redhat.com/errata/RHSA-2020:4060
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10690