Bug 1884341 (CVE-2020-25221) - CVE-2020-25221 kernel: incorrect vsyscall page reference counting in get_gate_page function in mm/gup.c
Summary: CVE-2020-25221 kernel: incorrect vsyscall page reference counting in get_gate...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-25221
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1884342
Blocks: 1884343
TreeView+ depends on / blocked
 
Reported: 2020-10-01 18:00 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-12-15 19:38 UTC (History)
45 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the get_gate_page in mm/gup.c in the Linux kernel, where it allows privilege escalation due to incorrect reference counting (caused by gate page mishandling) of the struct page that backs the vsyscall page. The result is a refcount underflow. This flaw is triggered by any 64-bit process that can use ptrace() or process_vm_readv(). The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed: 2020-10-20 08:21:14 UTC
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-10-01 18:00:34 UTC 
get_gate_page in mm/gup.c in the Linux kernel 5.7.x and 5.8.x before 5.8.7 allows privilege escalation because of incorrect reference counting (caused by gate page mishandling) of the struct page that backs the vsyscall page. The result is a refcount underflow. This can be triggered by any 64-bit process that can use ptrace() or process_vm_readv().


References:
https://www.openwall.com/lists/oss-security/2020/09/08/4
https://www.openwall.com/lists/oss-security/2020/09/10/4

Upstream patches:
https://git.kernel.org/linus/8891adc61dce2a8a41fc0c23262b681c3ec4b73a
https://git.kernel.org/linus/9fa2dd946743ae6f30dc4830da19147bf100a7f2
Comment 1 Guilherme de Almeida Suckevicz 2020-10-01 18:02:03 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1884342]
Comment 2 Justin M. Forbes 2020-10-02 12:33:43 UTC 
This was fixed for Fedora with the 5.8.7 stable kernel updates.
Comment 6 Alex 2020-10-08 21:18:28 UTC 
Mitigation:

The issue relevant starting from kernel v5.6 and possible to prevent the issue from triggering by booting with vsyscall=xonly or vsyscall=none.
Comment 7 Product Security DevOps Team 2020-10-20 08:21:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25221
Note You need to log in before you can comment on or make changes to this bug.