In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls. Upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42d84c8490f9f0931786f1623191fcab397c3d64 References: https://lkml.org/lkml/2020/2/15/125
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1817719]
This was fixed for Fedora with the 5.5.8 stable kernel updates.
Statement: This issue does not affect the kernel package as shipped with the Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG 2. This issue affects the kernel package as shipped with the Red Hat Enterprise Linux 6, 7 and 8. Future kernel updates for Red Hat Enterprise Linux 6, 7 and 8 may address this issue. It is rated to have Low impact because it is quite difficult/unlikely to be triggered by a guest (or even host) user. In case it does happen, like in the upstream report, the stack overflow shall hit the stack canaries, resulting in DoS by crashing the kernel.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4062 https://access.redhat.com/errata/RHSA-2020:4062
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4060 https://access.redhat.com/errata/RHSA-2020:4060
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10942
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4431 https://access.redhat.com/errata/RHSA-2020:4431
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4609 https://access.redhat.com/errata/RHSA-2020:4609