Bug 1888726 (CVE-2020-25656) - CVE-2020-25656 kernel: use-after-free in read in vt_do_kdgkb_ioctl
Summary: CVE-2020-25656 kernel: use-after-free in read in vt_do_kdgkb_ioctl
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-25656
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1896773 1896774 1896775 1896776 1896777 1897134
Blocks: 1888621
TreeView+ depends on / blocked
 
Reported: 2020-10-15 15:21 UTC by msiddiqu
Modified: 2021-03-23 19:05 UTC (History)
52 users (show)

Fixed In Version: kernel 5.10-rc2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed: 2021-03-16 19:19:06 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0856 0 None None None 2021-03-16 13:51:07 UTC
Red Hat Product Errata RHSA-2021:0857 0 None None None 2021-03-16 13:52:09 UTC

Description msiddiqu 2020-10-15 15:21:26 UTC
A flaw was found in Linux Kernel, where a race in KDGKBSENT and KDSKBSENT leads to use-after-free read in vt_do_kdgkb_ioctl

References: 
 
https://groups.google.com/g/syzkaller-bugs/c/kZsmxkpq3UI/m/J35PFexWBgAJ?pli=1

Comment 1 msiddiqu 2020-10-19 04:37:37 UTC
References:

https://www.openwall.com/lists/oss-security/2020/10/16/1

Comment 5 Alex 2020-11-11 14:13:51 UTC
External References:

https://lkml.org/lkml/2020/10/29/528
https://lkml.org/lkml/2020/10/16/84

Comment 7 Petr Matousek 2020-11-12 12:11:09 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1897134]

Comment 8 Fedora Update System 2020-11-16 01:09:02 UTC
FEDORA-2020-98ccae320c has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 9 Fedora Update System 2020-11-16 01:12:45 UTC
FEDORA-2020-e211716d08 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 10 Alex 2021-02-10 16:42:10 UTC
Statement:

This issue is rated as having Moderate impact because of the attack scenario limitation where only local user with access to VT console if at least CAP_SYS_TTY_CONFIG enabled can trigger this issue.

Comment 11 Alex 2021-02-10 16:58:14 UTC
For triggering the bug, user needs privileges. At least "CAP_SYS_TTY_CONFIG" needs to be enabled, but this is not the only precondition.
As far as I know, there is no known way today for triggering this until CONFIG_KASAN enabled (that is parameter for runtime memory debugger and usually disabled for production systems).
Means that if parameter CONFIG_KASAN not enabled for the kernel (for rhel* by default disabled), then the bug happens silently (without kernel crash) since read use-after-free usually not easily triggerable.

Comment 12 errata-xmlrpc 2021-03-16 13:51:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0856 https://access.redhat.com/errata/RHSA-2021:0856

Comment 13 errata-xmlrpc 2021-03-16 13:52:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0857 https://access.redhat.com/errata/RHSA-2021:0857

Comment 14 Product Security DevOps Team 2021-03-16 19:19:06 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25656


Note You need to log in before you can comment on or make changes to this bug.