In function cmm_timeout_hander in file arch/s390/mm/cmm.c, there is a logic error which set null byte too far away from user input which means user input won't be null terminated. And then, kernel stack data will be concatenated with user input and be processed. By querying the result, attacker is able to see the kernel data. This is linux kernel stack information leak on s390/s390x (and it is actual both for s390, ppc64 and ppc64le platforms).
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1846531]
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Statement: This issue is rated as having Low impact because of being limited to only s390 architecture and very limited kernel stack exposure.
External References: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b8e51a6a9db94bc1fb18ae831b3dab106b5a4b5f
This was fixed for Fedora with the 5.3.9 stable kernel updates.
/arch/s390/mm/cmm.c and /proc/sys/vm/cmm_timeout does not exists is RHEL 6 , kernel-2.6.32-754.35.1.el6.x86_64 Is RHEL 6 unaffected by this flaw?
Hello, In reply to comment #12: > /arch/s390/mm/cmm.c and /proc/sys/vm/cmm_timeout does not exists is RHEL 6 , > kernel-2.6.32-754.35.1.el6.x86_64 > Is RHEL 6 unaffected by this flaw? this issue is out of support scope for both Red Hat Enterprise Linux 5 and 6. As such, we haven't performed the investigation on these product versions. Our metadata were saying the contrary, I fixed that. Sorry for the confusion. Best regards, Petr Matousek / Red Hat Product Security
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4431 https://access.redhat.com/errata/RHSA-2020:4431
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10773