Bug 1846380 (CVE-2020-10773) - CVE-2020-10773 kernel: kernel stack information leak on s390/s390x
Summary: CVE-2020-10773 kernel: kernel stack information leak on s390/s390x
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10773
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1846531 1846532 1846533 1846534 1846535 1846536
Blocks: 1766285
TreeView+ depends on / blocked
 
Reported: 2020-06-11 13:17 UTC by Alex
Modified: 2021-02-16 19:53 UTC (History)
48 users (show)

Fixed In Version: kernel-5.4-rc6
Doc Type: If docs needed, set a value
Doc Text:
A stack information leak flaw was found in s390/s390x in the Linux kernel’s memory manager functionality, where it incorrectly writes to the /proc/sys/vm/cmm_timeout file. This flaw allows a local user to see the kernel data.
Clone Of:
Environment:
Last Closed: 2020-11-04 02:25:46 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4431 0 None None None 2020-11-04 00:51:19 UTC

Description Alex 2020-06-11 13:17:50 UTC 
In function cmm_timeout_hander in file arch/s390/mm/cmm.c, there is a logic error which set null byte too far away from user input which means user input won't be null terminated. And then, kernel stack data will be concatenated with user input and be processed. By querying the result, attacker is able to see the kernel data.
This is linux kernel stack information leak on s390/s390x (and it is actual both for s390, ppc64 and ppc64le platforms).
Comment 3 Alex 2020-06-11 19:40:02 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1846531]
Comment 5 Alex 2020-06-11 19:51:45 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 9 Petr Matousek 2020-06-17 12:39:00 UTC 
Statement:

This issue is rated as having Low impact because of being limited to only s390 architecture and very limited kernel stack exposure.
Comment 10 Petr Matousek 2020-06-17 12:52:34 UTC 
External References:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b8e51a6a9db94bc1fb18ae831b3dab106b5a4b5f
Comment 11 Justin M. Forbes 2020-10-08 18:53:27 UTC 
This was fixed for Fedora with the 5.3.9 stable kernel updates.
Comment 12 Rakesh 2020-10-28 04:16:21 UTC 
/arch/s390/mm/cmm.c and /proc/sys/vm/cmm_timeout does not exists is RHEL 6 , kernel-2.6.32-754.35.1.el6.x86_64
Is RHEL 6 unaffected by this flaw?
Comment 13 Petr Matousek 2020-10-28 11:16:43 UTC 
Hello, 

In reply to comment #12:
> /arch/s390/mm/cmm.c and /proc/sys/vm/cmm_timeout does not exists is RHEL 6 ,
> kernel-2.6.32-754.35.1.el6.x86_64
> Is RHEL 6 unaffected by this flaw?

this issue is out of support scope for both Red Hat Enterprise Linux 5 and 6. As such, we haven't performed the investigation on these product versions. Our metadata were saying the contrary, I fixed that.

Sorry for the confusion.

Best regards,
Petr Matousek / Red Hat Product Security
Comment 14 errata-xmlrpc 2020-11-04 00:51:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4431 https://access.redhat.com/errata/RHSA-2020:4431
Comment 15 Product Security DevOps Team 2020-11-04 02:25:46 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10773
Note You need to log in before you can comment on or make changes to this bug.