An issue was discovered in the Linux kernels implementation of BFQ IO scheduler. A local user who is able to groom system memory may be able to cause kernel memory corruption and possibly privilege escalation through abusing a race condition in the IO scheduler.
Upstream Patch: https://patchwork.kernel.org/patch/11447049/ Upstream Commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1832867]
This was fixed for Fedora with the 5.5.18 stable kernel update.
Mitigation: The default io scheduler for Red Hat Enterprise Linux 8 is the mq-deadline scheduler, however it can be configured to any of the available schedulers available on the system on a per-device basis. The schedulers in use can be verified by the block devices entry in sysfs, for example for "sda": # cat /sys/block/sda/queue/scheduler [mq-deadline] kyber bfq none All block devices in the system will need to be changed to be mitigated. If the system workload requires bfq, this may not be an acceptable workaround however some systems may find changing io schedulers to be an acceptable workaround until system updates can be applied. See https://access.redhat.com/solutions/3756041 for how to configure the io scheduler persistently across system reboots or contact Red Hat Global Support Services.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2428 https://access.redhat.com/errata/RHSA-2020:2428
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:2429 https://access.redhat.com/errata/RHSA-2020:2429
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2427 https://access.redhat.com/errata/RHSA-2020:2427
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-12657
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2567 https://access.redhat.com/errata/RHSA-2020:2567
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:2667 https://access.redhat.com/errata/RHSA-2020:2667
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:2669 https://access.redhat.com/errata/RHSA-2020:2669