Bug 1842525 (CVE-2020-10757) - CVE-2020-10757 kernel: kernel: DAX hugepages not considered during mremap
Summary: CVE-2020-10757 kernel: kernel: DAX hugepages not considered during mremap
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10757
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1843429 1843430 1843431 1843432 1843433 1843434 1843435 1843436 1843437 1843438 1843439 1843440 1843441 1843442 1843443 1843444 1843445 1843446 1843447 1843448 1843883
Blocks: 1842526
TreeView+ depends on / blocked
 
Reported: 2020-06-01 13:11 UTC by Pedro Sampaio
Modified: 2023-12-15 18:02 UTC (History)
52 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way mremap handled DAX Huge Pages. This flaw allows a local attacker with access to a DAX enabled storage to escalate their privileges on the system.
Clone Of:
Environment:
Last Closed: 2020-07-21 13:28:00 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:3086 0 None None None 2020-07-22 01:04:37 UTC
Red Hat Product Errata RHBA-2020:3235 0 None None None 2020-07-30 01:09:55 UTC
Red Hat Product Errata RHBA-2020:3236 0 None None None 2020-07-30 02:11:43 UTC
Red Hat Product Errata RHBA-2020:3249 0 None None None 2020-07-30 14:36:54 UTC
Red Hat Product Errata RHBA-2020:3551 0 None None None 2020-08-25 14:35:55 UTC
Red Hat Product Errata RHBA-2020:3552 0 None None None 2020-08-25 14:40:26 UTC
Red Hat Product Errata RHSA-2020:3010 0 None None None 2020-07-21 11:05:28 UTC
Red Hat Product Errata RHSA-2020:3016 0 None None None 2020-07-21 11:23:39 UTC
Red Hat Product Errata RHSA-2020:3041 0 None None None 2020-07-21 14:32:39 UTC
Red Hat Product Errata RHSA-2020:3220 0 None None None 2020-07-29 18:19:09 UTC
Red Hat Product Errata RHSA-2020:3221 0 None None None 2020-07-29 18:19:54 UTC
Red Hat Product Errata RHSA-2020:3222 0 None None None 2020-07-29 19:37:29 UTC
Red Hat Product Errata RHSA-2020:3226 0 None None None 2020-07-29 20:47:05 UTC
Red Hat Product Errata RHSA-2020:3598 0 None None None 2020-09-01 16:36:48 UTC

Description Pedro Sampaio 2020-06-01 13:11:58 UTC 
A flaw was found in the way mremap handled DAX hugepages. A local attacker could use this flaw to escalate their privileges on the system by being able to control PTEs and effectively creating physical to virtual mappings at will.
Comment 1 Petr Matousek 2020-06-03 09:54:57 UTC 
Acknowledgments:

Name: Fan Yang
Comment 10 Petr Matousek 2020-06-04 11:32:11 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1843883]
Comment 11 Petr Matousek 2020-06-08 14:43:15 UTC 
External References:

https://www.openwall.com/lists/oss-security/2020/06/04/4
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5bfea2d9b17f1034a68147a8b03b9789af5700f9
Comment 16 Petr Matousek 2020-06-23 10:57:02 UTC 
Statement:

This issue requires access to a DAX enabled storage.

This issue affects Red Hat Enterprise Linux 7 kernels starting with kernel-3.10.0-862, that is Red Hat Enterprise Linux 7.5 GA kernel. Red Hat Enterprise Linux 7 kernels prior to that version are not affected as they did not include the functionality that enabled this issue to be exploited.

Red Hat Product Security is aware of this issue. Updates will be released as they become available.
Comment 18 errata-xmlrpc 2020-07-21 11:05:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3010 https://access.redhat.com/errata/RHSA-2020:3010
Comment 19 errata-xmlrpc 2020-07-21 11:23:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3016 https://access.redhat.com/errata/RHSA-2020:3016
Comment 20 Product Security DevOps Team 2020-07-21 13:28:00 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10757
Comment 21 errata-xmlrpc 2020-07-21 14:32:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:3041 https://access.redhat.com/errata/RHSA-2020:3041
Comment 22 Chuck Svoboda 2020-07-21 15:33:26 UTC 
Why is RHEL7 not patched?  FWIW, OEL7 is patched.
Comment 23 errata-xmlrpc 2020-07-29 18:19:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3220 https://access.redhat.com/errata/RHSA-2020:3220
Comment 24 errata-xmlrpc 2020-07-29 18:19:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3221 https://access.redhat.com/errata/RHSA-2020:3221
Comment 25 errata-xmlrpc 2020-07-29 19:37:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:3222 https://access.redhat.com/errata/RHSA-2020:3222
Comment 26 errata-xmlrpc 2020-07-29 20:47:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:3226 https://access.redhat.com/errata/RHSA-2020:3226
Comment 29 errata-xmlrpc 2020-09-01 16:36:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:3598 https://access.redhat.com/errata/RHSA-2020:3598
Comment 30 Petr Matousek 2020-10-21 12:18:28 UTC 
Mitigation:

Do not use DAX enabled storage.
Note You need to log in before you can comment on or make changes to this bug.