Bug 1862849 (CVE-2020-14351) - CVE-2020-14351 kernel: performance counters race condition use-after-free
Summary: CVE-2020-14351 kernel: performance counters race condition use-after-free
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-14351
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1869925 1869929 1869931 1865720 1865721 1865722 1865723 1865724 1865725 1869921 1869922 1869924 1869926 1869927 1869928 1869930 1869932 1869933 1869934 1869935 1869936 1869937 1869938 1869939 1869940 1869941 1896213 1897016 1897017
Blocks: 1954955 1859675
TreeView+ depends on / blocked
 
Reported: 2020-08-03 03:06 UTC by Wade Mealing
Modified: 2021-04-29 07:22 UTC (History)
49 users (show)

Fixed In Version: kernel 5.8.17
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-02-16 19:01:57 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0537 0 None None None 2021-02-16 14:25:44 UTC
Red Hat Product Errata RHSA-2021:0558 0 None None None 2021-02-16 14:38:09 UTC
Red Hat Product Errata RHSA-2021:0686 0 None None None 2021-03-02 10:42:12 UTC
Red Hat Product Errata RHSA-2021:0765 0 None None None 2021-03-09 11:09:37 UTC
Red Hat Product Errata RHSA-2021:0774 0 None None None 2021-03-09 10:22:36 UTC
Red Hat Product Errata RHSA-2021:0848 0 None None None 2021-03-16 09:26:11 UTC
Red Hat Product Errata RHSA-2021:0856 0 None None None 2021-03-16 13:50:53 UTC
Red Hat Product Errata RHSA-2021:0857 0 None None None 2021-03-16 13:51:48 UTC
Red Hat Product Errata RHSA-2021:0878 0 None None None 2021-03-16 14:53:35 UTC

Description Wade Mealing 2020-08-03 03:06:29 UTC
A flaw in the Linux kernels perf subsystem could allow a local attacker with permission to monitor perf events (either through CAP_SYS_ADMIN or a modification to /proc/sys/kernel/perf_event_paranoid ) to create an environment where a use-after-free flaw could take place allowing them to corrupt memory and possibly escalate privileges.

The Red Hat Enterprise Linux 7.2 and later kernels default to a safe /proc/sys/kernel/perf_event_paranoid setting, however local administrators may have reason to change the setting to allow non privileged users to monitor performance statistics.

Upstream kernel documentation recommends not modifying this value and instead creating a perf_users group as outlined in ther documentation:

https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html

Comment 13 Eric Christensen 2020-09-08 15:28:12 UTC
Statement:

The Red Hat Enterprise Linux 7.2 and later kernels default to a safe /proc/sys/kernel/perf_event_paranoid setting; local administrators may have reason to change the setting to allow non privileged users to monitor performance statistics.

Comment 14 Eric Christensen 2020-09-08 15:28:15 UTC
Mitigation:

While there is no way to disable the perf subsystem on Linux systems, reducing or removing users access to the perf events can effectively mitigate this flaw. Upstream kernel documentation has been written regarding this mechanism: https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html.

Comment 16 Wade Mealing 2020-11-10 02:44:58 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1896213]

Comment 17 Justin M. Forbes 2020-11-10 12:51:10 UTC
This was fixed for Fedora with the 5.8.17 stable kernel updates.

Comment 22 Guilherme de Almeida Suckevicz 2020-11-17 13:02:38 UTC
Acknowledgments:

Name: Ryota Shiga (Flatt Security), Zero Day Initiative

Comment 23 errata-xmlrpc 2021-02-16 14:25:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0537 https://access.redhat.com/errata/RHSA-2021:0537

Comment 24 errata-xmlrpc 2021-02-16 14:38:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0558 https://access.redhat.com/errata/RHSA-2021:0558

Comment 25 Product Security DevOps Team 2021-02-16 19:01:57 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14351

Comment 26 errata-xmlrpc 2021-03-02 10:42:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0686 https://access.redhat.com/errata/RHSA-2021:0686

Comment 27 errata-xmlrpc 2021-03-09 10:22:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0774 https://access.redhat.com/errata/RHSA-2021:0774

Comment 28 errata-xmlrpc 2021-03-09 11:09:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0765 https://access.redhat.com/errata/RHSA-2021:0765

Comment 29 errata-xmlrpc 2021-03-16 09:26:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2021:0848 https://access.redhat.com/errata/RHSA-2021:0848

Comment 30 errata-xmlrpc 2021-03-16 13:50:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0856 https://access.redhat.com/errata/RHSA-2021:0856

Comment 31 errata-xmlrpc 2021-03-16 13:51:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0857 https://access.redhat.com/errata/RHSA-2021:0857

Comment 32 errata-xmlrpc 2021-03-16 14:53:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2021:0878 https://access.redhat.com/errata/RHSA-2021:0878

Comment 34 errata-xmlrpc 2021-03-30 09:28:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:1028 https://access.redhat.com/errata/RHSA-2021:1028

Comment 35 errata-xmlrpc 2021-04-20 12:54:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2021:1267 https://access.redhat.com/errata/RHSA-2021:1267


Note You need to log in before you can comment on or make changes to this bug.