Bug 1920480 (CVE-2020-0466) - CVE-2020-0466 kernel: use after free in eventpoll.c may lead to escalation of privilege
Summary: CVE-2020-0466 kernel: use after free in eventpoll.c may lead to escalation of...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-0466
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1921706 1920484 1920773 1920774 1920775 1920776 1920777 1920778 1920779 1920780 1920781 1920782 1920783 1920784 1920785 1921707 2042756 2042757 2042758 2042759 2042760 2042761 2042762 2042763 2042764 2042765 2042766 2044812
Blocks: 1920486
TreeView+ depends on / blocked
 
Reported: 2021-01-26 11:46 UTC by Marian Rehak
Modified: 2022-04-19 16:11 UTC (History)
58 users (show)

Fixed In Version: kernel-rt-3.10.0-1160.57.1.rt56.1198.el7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. A logic error in eventpoll.c can cause a use-after-free, leading to a local escalation of privilege with no additional execution privileges. User interaction is not needed for exploitation. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2022-02-02 14:00:53 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:0679 0 None None None 2022-02-24 20:40:45 UTC
Red Hat Product Errata RHBA-2022:0690 0 None None None 2022-02-28 14:16:33 UTC
Red Hat Product Errata RHBA-2022:0740 0 None None None 2022-03-03 15:57:45 UTC
Red Hat Product Errata RHSA-2022:0529 0 None None None 2022-02-15 09:23:25 UTC
Red Hat Product Errata RHSA-2022:0531 0 None None None 2022-02-15 10:37:22 UTC
Red Hat Product Errata RHSA-2022:0533 0 None None None 2022-02-15 09:47:43 UTC
Red Hat Product Errata RHSA-2022:0592 0 None None None 2022-02-22 09:12:20 UTC
Red Hat Product Errata RHSA-2022:0620 0 None None None 2022-02-22 16:57:47 UTC
Red Hat Product Errata RHSA-2022:0622 0 None None None 2022-02-22 17:00:22 UTC
Red Hat Product Errata RHSA-2022:0712 0 None None None 2022-03-01 12:44:52 UTC
Red Hat Product Errata RHSA-2022:0718 0 None None None 2022-03-01 12:47:21 UTC
Red Hat Product Errata RHSA-2022:1104 0 None None None 2022-03-29 08:50:49 UTC
Red Hat Product Errata RHSA-2022:1417 0 None None None 2022-04-19 16:11:34 UTC

Description Marian Rehak 2021-01-26 11:46:58 UTC
In do_epoll_ctl and ep_loop_check_proc of eventpoll.c, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Reference:

 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a9ed4a6560b8562b7e2e2bed9527e88001f7b682
 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=52c479697c9b73f628140dcdfcd39ea302d05482

Comment 1 Marian Rehak 2021-01-26 11:50:28 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1920484]

Comment 2 Justin M. Forbes 2021-01-26 20:09:24 UTC
This was fixed for Fedora with the 5.7.18 stable kernel updates.

Comment 6 Wade Mealing 2021-01-27 02:19:40 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 13 errata-xmlrpc 2021-04-06 13:58:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1081 https://access.redhat.com/errata/RHSA-2021:1081

Comment 14 errata-xmlrpc 2021-04-06 14:17:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1093 https://access.redhat.com/errata/RHSA-2021:1093

Comment 15 Product Security DevOps Team 2021-04-06 17:35:22 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-0466

Comment 16 errata-xmlrpc 2021-05-25 06:43:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:2099 https://access.redhat.com/errata/RHSA-2021:2099

Comment 17 errata-xmlrpc 2021-05-25 15:53:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:2106 https://access.redhat.com/errata/RHSA-2021:2106

Comment 18 errata-xmlrpc 2021-06-01 09:39:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2167 https://access.redhat.com/errata/RHSA-2021:2167

Comment 19 errata-xmlrpc 2021-06-01 16:03:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2190 https://access.redhat.com/errata/RHSA-2021:2190

Comment 20 errata-xmlrpc 2021-06-02 00:46:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2185 https://access.redhat.com/errata/RHSA-2021:2185

Comment 23 Product Security DevOps Team 2022-02-02 14:00:48 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-0466

Comment 24 errata-xmlrpc 2022-02-15 09:23:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2022:0529 https://access.redhat.com/errata/RHSA-2022:0529

Comment 25 errata-xmlrpc 2022-02-15 09:47:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions

Via RHSA-2022:0533 https://access.redhat.com/errata/RHSA-2022:0533

Comment 26 errata-xmlrpc 2022-02-15 10:37:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2022:0531 https://access.redhat.com/errata/RHSA-2022:0531

Comment 28 errata-xmlrpc 2022-02-22 09:12:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:0592 https://access.redhat.com/errata/RHSA-2022:0592

Comment 29 errata-xmlrpc 2022-02-22 16:57:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:0620 https://access.redhat.com/errata/RHSA-2022:0620

Comment 30 errata-xmlrpc 2022-02-22 17:00:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:0622 https://access.redhat.com/errata/RHSA-2022:0622

Comment 31 errata-xmlrpc 2022-03-01 12:44:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2022:0712 https://access.redhat.com/errata/RHSA-2022:0712

Comment 32 errata-xmlrpc 2022-03-01 12:47:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions

Via RHSA-2022:0718 https://access.redhat.com/errata/RHSA-2022:0718

Comment 33 errata-xmlrpc 2022-03-29 08:50:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support

Via RHSA-2022:1104 https://access.redhat.com/errata/RHSA-2022:1104

Comment 34 errata-xmlrpc 2022-04-19 16:11:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2022:1417 https://access.redhat.com/errata/RHSA-2022:1417


Note You need to log in before you can comment on or make changes to this bug.