Bug 1842525 (CVE-2020-10757) - CVE-2020-10757 kernel: kernel: DAX hugepages not considered during mremap
Summary: CVE-2020-10757 kernel: kernel: DAX hugepages not considered during mremap
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10757
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1843435 1843437 1843441 1843443 1843445 1843448 1843429 1843430 1843431 1843432 1843433 1843434 1843436 1843438 1843439 1843440 1843442 1843444 1843446 1843447 1843883
Blocks: 1842526
TreeView+ depends on / blocked
 
Reported: 2020-06-01 13:11 UTC by Pedro Sampaio
Modified: 2020-07-30 14:36 UTC (History)
52 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way mremap handled DAX Huge Pages. This flaw allows a local attacker with access to a DAX enabled storage to escalate their privileges on the system.
Clone Of:
Environment:
Last Closed: 2020-07-21 13:28:00 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:3086 None None None 2020-07-22 01:04:37 UTC
Red Hat Product Errata RHBA-2020:3235 None None None 2020-07-30 01:09:55 UTC
Red Hat Product Errata RHBA-2020:3236 None None None 2020-07-30 02:11:43 UTC
Red Hat Product Errata RHBA-2020:3249 None None None 2020-07-30 14:36:54 UTC
Red Hat Product Errata RHSA-2020:3010 None None None 2020-07-21 11:05:28 UTC
Red Hat Product Errata RHSA-2020:3016 None None None 2020-07-21 11:23:39 UTC
Red Hat Product Errata RHSA-2020:3041 None None None 2020-07-21 14:32:39 UTC
Red Hat Product Errata RHSA-2020:3220 None None None 2020-07-29 18:19:09 UTC
Red Hat Product Errata RHSA-2020:3221 None None None 2020-07-29 18:19:54 UTC
Red Hat Product Errata RHSA-2020:3222 None None None 2020-07-29 19:37:29 UTC
Red Hat Product Errata RHSA-2020:3226 None None None 2020-07-29 20:47:05 UTC

Description Pedro Sampaio 2020-06-01 13:11:58 UTC
A flaw was found in the way mremap handled DAX hugepages. A local attacker could use this flaw to escalate their privileges on the system by being able to control PTEs and effectively creating physical to virtual mappings at will.

Comment 1 Petr Matousek 2020-06-03 09:54:57 UTC
Acknowledgments:

Name: Fan Yang

Comment 8 Petr Matousek 2020-06-04 07:48:24 UTC
Mitigation:

Do use DAX enabled storage.

Comment 10 Petr Matousek 2020-06-04 11:32:11 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1843883]

Comment 16 Petr Matousek 2020-06-23 10:57:02 UTC
Statement:

This issue requires access to a DAX enabled storage.

This issue affects Red Hat Enterprise Linux 7 kernels starting with kernel-3.10.0-862, that is Red Hat Enterprise Linux 7.5 GA kernel. Red Hat Enterprise Linux 7 kernels prior to that version are not affected as they did not include the functionality that enabled this issue to be exploited.

Red Hat Product Security is aware of this issue. Updates will be released as they become available.

Comment 18 errata-xmlrpc 2020-07-21 11:05:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3010 https://access.redhat.com/errata/RHSA-2020:3010

Comment 19 errata-xmlrpc 2020-07-21 11:23:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3016 https://access.redhat.com/errata/RHSA-2020:3016

Comment 20 Product Security DevOps Team 2020-07-21 13:28:00 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10757

Comment 21 errata-xmlrpc 2020-07-21 14:32:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:3041 https://access.redhat.com/errata/RHSA-2020:3041

Comment 22 Chuck Svoboda 2020-07-21 15:33:26 UTC
Why is RHEL7 not patched?  FWIW, OEL7 is patched.

Comment 23 errata-xmlrpc 2020-07-29 18:19:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3220 https://access.redhat.com/errata/RHSA-2020:3220

Comment 24 errata-xmlrpc 2020-07-29 18:19:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3221 https://access.redhat.com/errata/RHSA-2020:3221

Comment 25 errata-xmlrpc 2020-07-29 19:37:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:3222 https://access.redhat.com/errata/RHSA-2020:3222

Comment 26 errata-xmlrpc 2020-07-29 20:47:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:3226 https://access.redhat.com/errata/RHSA-2020:3226


Note You need to log in before you can comment on or make changes to this bug.