1836936 – (CVE-2020-0110) CVE-2020-0110 kernel: out of bound write when writing 0 bytes to PSI files which could result in local privilege escalation

Bug 1836936 (CVE-2020-0110) - CVE-2020-0110 kernel: out of bound write when writing 0 bytes to PSI files which could result in local privilege escalation

Summary: CVE-2020-0110 kernel: out of bound write when writing 0 bytes to PSI files wh...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-0110
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1837790 (view as bug list)
Depends On:	1836943
Blocks:	Embargoed1836944
TreeView+	depends on / blocked

Reported:	2020-05-18 14:11 UTC by Michael Kaplan
Modified:	2021-02-16 20:02 UTC (History)
CC List:	48 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Pressure stall information subsystem. This flaw allows a local attacker with the ability to write to root-owned files to corrupt kernel stack memory.
Clone Of:
Environment:
Last Closed:	2020-05-22 21:15:19 UTC

Attachments	(Terms of Use)

Description Michael Kaplan 2020-05-18 14:11:28 UTC

In psi_write of psi.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References: 

https://source.android.com/security/bulletin/2020-05-01

Upstream Commit:

https://git.kernel.org/linus/6fcca0fa48118e6d63733eb4644c6cd880c15b8f

Comment 1 Michael Kaplan 2020-05-18 14:21:15 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1836943]

Comment 2 Justin M. Forbes 2020-05-18 15:10:09 UTC

This was fixed for Fedora with the 5.5.7 stable kernel updates.

Comment 3 Wade Mealing 2020-05-20 02:02:54 UTC

*** Bug 1837790 has been marked as a duplicate of this bug. ***

Comment 8 Wade Mealing 2020-05-20 02:16:43 UTC

Mitigation:

As the attacker must have the ability to write to these files, a possible mitigation would be to reduce the access that users and their processes would have to the files used in the attack.  The files within the /proc/ filesystem can be temporarily modified with the chmod/chown command for each boot.

Comment 10 Product Security DevOps Team 2020-05-22 21:15:19 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-0110

Note You need to log in before you can comment on or make changes to this bug.

acaringi
airlied
bhu
blc
bmasney
brdeoliv
bskeggs
dhoward
dvlasenk
esammons
fhrbata
hdegoede
hkrzesin
iboverma
ichavero
itamar
jarodwilson
jeremy
jforbes
jglisse
jlelli
john.j5live
jonathan
josef
jross
jshortt
jstancek
jwboyer
kcarcia
kernel-maint
kernel-mgr
labbott
lgoncalv
linville
masami256
matt
mchehab
mcressma
mjg59
mlangsdo
nmurray
ptalbert
qzhao
rt-maint
rvrbovsk
steved
williams
wmealing