Bug 1836936 (CVE-2020-0110) - CVE-2020-0110 kernel: out of bound write when writing 0 bytes to PSI files which could result in local privilege escalation
Summary: CVE-2020-0110 kernel: out of bound write when writing 0 bytes to PSI files wh...
Alias: CVE-2020-0110
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
: 1837790 (view as bug list)
Depends On: 1836943
Blocks: Embargoed1836944
TreeView+ depends on / blocked
Reported: 2020-05-18 14:11 UTC by Michael Kaplan
Modified: 2021-02-16 20:02 UTC (History)
48 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Pressure stall information subsystem. This flaw allows a local attacker with the ability to write to root-owned files to corrupt kernel stack memory.
Clone Of:
Last Closed: 2020-05-22 21:15:19 UTC

Attachments (Terms of Use)

Description Michael Kaplan 2020-05-18 14:11:28 UTC
In psi_write of psi.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.



Upstream Commit:


Comment 1 Michael Kaplan 2020-05-18 14:21:15 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1836943]

Comment 2 Justin M. Forbes 2020-05-18 15:10:09 UTC
This was fixed for Fedora with the 5.5.7 stable kernel updates.

Comment 3 Wade Mealing 2020-05-20 02:02:54 UTC
*** Bug 1837790 has been marked as a duplicate of this bug. ***

Comment 8 Wade Mealing 2020-05-20 02:16:43 UTC

As the attacker must have the ability to write to these files, a possible mitigation would be to reduce the access that users and their processes would have to the files used in the attack.  The files within the /proc/ filesystem can be temporarily modified with the chmod/chown command for each boot.

Comment 10 Product Security DevOps Team 2020-05-22 21:15:19 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.