A flaw was found in the Linux kernel implementation of userspace core dumps. This flaw allows anyone with access to core dumps to see a small amount of private kernel data about the current running kernels internal state which could be used to further allow an attack to more reliably execute. This information could be user processes or kernel state from previous executions. References: https://github.com/google/kmsan/issues/76 https://twitter.com/grsecurity/status/1252558055629299712 https://github.com/ruscur/linux/commit/a95cdec9fa0c08e6eeb410d461c03af8fd1fef0a
This flaw is rated as moderate, it can be a pretty useful information leak to defeat kaslr and also be leveraged as part of another attack.
There is no 'simple' fix to this. The bug is located in the ELF executable loader. If this code was to be blacklisted most executables would not run on the system making it operable for most use cases.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1832059]
Mitigation: Possible mitigation would be to disable core dumps system-wide by setting: * hard core 0 In the /etc/security/limits.conf file and restarting applications/services/processes which users may have access to or simply reboot the system. This disables core dumps which may not be a suitable workaround in your environment.
The proposed fix has been accepted in linus-next tree (git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git): commit aca969cacf07f41070d788ce2b8ca71f09d5207d Author: Alexander Potapenko <glider> Date: Thu May 14 13:40:13 2020 +1000 fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() <..snip..> diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index fb7697029046..1a8b0c74f5b0 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -1729,7 +1729,7 @@ static int fill_thread_core_info(struct elf_thread_core_info *t, (!regset->active || regset->active(t->task, regset) > 0)) { int ret; size_t size = regset_size(t->task, regset); - void *data = kmalloc(size, GFP_KERNEL); + void *data = kzalloc(size, GFP_KERNEL); if (unlikely(!data)) return 0; ret = regset->get(t->task, regset,
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4062 https://access.redhat.com/errata/RHSA-2020:4062
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4060 https://access.redhat.com/errata/RHSA-2020:4060
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10732
This was fixed for Fedora with the 5.6.16 stable kernel updates.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4431 https://access.redhat.com/errata/RHSA-2020:4431
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4609 https://access.redhat.com/errata/RHSA-2020:4609