Bug 1906522 (CVE-2020-29660) - CVE-2020-29660 kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read-after-free
Summary: CVE-2020-29660 kernel: locking inconsistency in drivers/tty/tty_io.c and driv...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-29660
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1906523 1908058 1908059 1908060 1908061 1908062
Blocks: 1906524
TreeView+ depends on / blocked
 
Reported: 2020-12-10 17:36 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-11-09 19:53 UTC (History)
41 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel. A local user could use this flaw to read numerical value from memory after free.
Clone Of:
Environment:
Last Closed: 2021-11-09 19:53:26 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4140 0 None None None 2021-11-09 17:21:23 UTC
Red Hat Product Errata RHSA-2021:4356 0 None None None 2021-11-09 18:23:04 UTC

Description Guilherme de Almeida Suckevicz 2020-12-10 17:36:19 UTC 
A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID.

Reference and upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9
Comment 1 Guilherme de Almeida Suckevicz 2020-12-10 17:37:15 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1906523]
Comment 5 Alex 2020-12-16 11:59:51 UTC 
Statement:

This flaw is rated as having Low impact (Red Hat Enterprise Linux 7)  because of the need to have CAP_SYS_TTY_CONFIG privileges.

This flaw is rated as having Moderate (Red Hat Enterprise Linux 8) impact because of the need to have CAP_SYS_TTY_CONFIG privileges. Red Hat Enterprise Linux 8 enabled unprivileged user/network namespaces by default which can be used to exercise this vulnerability.
Comment 6 Alex 2020-12-16 14:43:22 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 21 errata-xmlrpc 2021-11-09 17:21:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4140 https://access.redhat.com/errata/RHSA-2021:4140
Comment 22 errata-xmlrpc 2021-11-09 18:23:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4356 https://access.redhat.com/errata/RHSA-2021:4356
Comment 23 Product Security DevOps Team 2021-11-09 19:53:22 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-29660
Note You need to log in before you can comment on or make changes to this bug.