An out-of-bounds (OOB) memory access flaw was found in the Network XDP (the eXpress Data Path) module in the Linux kernel's xdp_umem_reg in net/xdp/xdp_umem.c. When a user with special user privilege of CAP_NET_ADMIN (or root) calls setsockopt to register umem ring on XDP socket, passing the headroom value larger than the available space in the chunk can leads to an out of bound write causing a panic or possible memory corruption. This may lead to privilege escalation if a local end user is granted permissions to influence the execution of code in this manner. Reference: https://bugzilla.kernel.org/show_bug.cgi?id=207225 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=99e3a236dd43d06c65af0a2ef9cb44306aef6e02
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1832878]
Upstream Issue: https://bugzilla.kernel.org/show_bug.cgi?id=207225 Upstream Commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=99e3a236dd43d06c65af0a2ef9cb44306aef6e02
This was fixed for Fedora with the 5.6.7 stable kernel update.
Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
I don't see how this is a security issue. It needs root privileges to invoke the crash; root has plenty of other ways to crash the system. If this is a CVE, then the 'poweroff' command is a security issue, too. This does not deserve a CVE, it's a minor bug. Could the CVE assignment be invalidated?
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4431 https://access.redhat.com/errata/RHSA-2020:4431
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4609 https://access.redhat.com/errata/RHSA-2020:4609
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-12659