In f2fs_xattr_generic_list of xattr.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not required for exploitation.Product: Android. Versions: Android kernel. Android ID: A-120551147. Upstream Reference: https://android.googlesource.com/kernel/common/+/688078e7
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1848848]
Affected source fs/f2fs/xattr.c with configuration option CONFIG_F2FS_FS_XATTR is not built in any of RHEL kernel versions. Marking notaffected.
Statement: The affected code was not introduced into any kernel versions shipped with Red Hat Enterprise Linux making this vulnerable not applicable to these platforms.
Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-0067