Bug 1832866 (CVE-2020-12657) - CVE-2020-12657 kernel: use-after-free in block/bfq-iosched.c related to bfq_idle_slice_timer_body
Summary: CVE-2020-12657 kernel: use-after-free in block/bfq-iosched.c related to bfq_i...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-12657
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1832867 1835529 1835530 1835531 1835532 1835533 1835534 1835535 1835536 1835537 1835538
Blocks: 1833237
TreeView+ depends on / blocked
 
Reported: 2020-05-07 12:23 UTC by Michael Kaplan
Modified: 2021-02-16 20:05 UTC (History)
54 users (show)

Fixed In Version: kernel 5.6.5
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's implementation of the BFQ IO scheduler. This flaw allows a local user able to groom system memory to cause kernel memory corruption and possible privilege escalation by abusing a race condition in the IO scheduler.
Clone Of:
Environment:
Last Closed: 2020-06-09 23:20:36 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:2542 0 None None None 2020-06-15 07:17:44 UTC
Red Hat Product Errata RHBA-2020:2551 0 None None None 2020-06-15 21:07:46 UTC
Red Hat Product Errata RHBA-2020:2888 0 None None None 2020-07-09 15:15:13 UTC
Red Hat Product Errata RHSA-2020:2427 0 None None None 2020-06-09 19:10:29 UTC
Red Hat Product Errata RHSA-2020:2428 0 None None None 2020-06-09 18:23:42 UTC
Red Hat Product Errata RHSA-2020:2429 0 None None None 2020-06-09 18:45:12 UTC
Red Hat Product Errata RHSA-2020:2567 0 None None None 2020-06-15 19:00:57 UTC
Red Hat Product Errata RHSA-2020:2667 0 None None None 2020-06-23 13:07:48 UTC
Red Hat Product Errata RHSA-2020:2669 0 None None None 2020-06-23 13:08:49 UTC

Description Michael Kaplan 2020-05-07 12:23:56 UTC 
An issue was discovered in the Linux kernels implementation of BFQ IO scheduler.  A local user who is able to groom system memory may be able to cause kernel memory corruption and possibly privilege escalation through abusing a race condition in the IO scheduler.
Comment 1 Michael Kaplan 2020-05-07 12:25:08 UTC 
Upstream Patch:

https://patchwork.kernel.org/patch/11447049/

Upstream Commit:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9
Comment 2 Michael Kaplan 2020-05-07 12:25:42 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1832867]
Comment 3 Justin M. Forbes 2020-05-07 21:59:40 UTC 
This was fixed for Fedora with the 5.5.18 stable kernel update.
Comment 6 Wade Mealing 2020-05-14 01:29:33 UTC 
Mitigation:


The default io scheduler for Red Hat Enterprise Linux 8 is the mq-deadline scheduler, however it can be 
configured to any of the available schedulers available on the system on a per-device basis.

The schedulers in use can be verified by the block devices entry in sysfs, for example for "sda":

# cat /sys/block/sda/queue/scheduler 
[mq-deadline] kyber bfq none

All block devices in the system will need to be changed to be mitigated.  If the system workload requires
bfq, this may not be an acceptable workaround however some systems may find changing io schedulers to be an
acceptable workaround until system updates can be applied.

See https://access.redhat.com/solutions/3756041 for how to configure the io scheduler persistently across
system reboots or contact Red Hat Global Support Services.
Comment 9 errata-xmlrpc 2020-06-09 18:23:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2428 https://access.redhat.com/errata/RHSA-2020:2428
Comment 10 errata-xmlrpc 2020-06-09 18:45:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:2429 https://access.redhat.com/errata/RHSA-2020:2429
Comment 11 errata-xmlrpc 2020-06-09 19:10:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2427 https://access.redhat.com/errata/RHSA-2020:2427
Comment 12 Product Security DevOps Team 2020-06-09 23:20:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12657
Comment 13 errata-xmlrpc 2020-06-15 19:00:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2567 https://access.redhat.com/errata/RHSA-2020:2567
Comment 14 errata-xmlrpc 2020-06-23 13:07:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2667 https://access.redhat.com/errata/RHSA-2020:2667
Comment 15 errata-xmlrpc 2020-06-23 13:08:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2669 https://access.redhat.com/errata/RHSA-2020:2669
Note You need to log in before you can comment on or make changes to this bug.