1892176 – (CVE-2020-25669) CVE-2020-25669 kernel: use-after-free read in sunkbd_reinit in drivers/input/keyboard/sunkbd.c

Bug 1892176 (CVE-2020-25669) - CVE-2020-25669 kernel: use-after-free read in sunkbd_reinit in drivers/input/keyboard/sunkbd.c

Summary: CVE-2020-25669 kernel: use-after-free read in sunkbd_reinit in drivers/input/...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-25669
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	Embargoed1891760 Red Hat1939822
TreeView+	depends on / blocked

Reported:	2020-10-28 05:45 UTC by Wade Mealing
Modified:	2021-05-26 13:05 UTC (History)
CC List:	16 users (show)
Fixed In Version:	kernel 5.10-rc5
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-24 11:33:54 UTC

Attachments	(Terms of Use)

Description Wade Mealing 2020-10-28 05:45:55 UTC

The function sunkbd_reinit having been scheduled by sunkbd_interrupt before sunkbd being freed.
Though the dangling pointer is set to NULL in sunkbd_disconnect, there is still a alias in sunkbd_reinit so that causing Use After Free.

Comment 1 Wade Mealing 2020-10-28 05:49:13 UTC

At this time, Red Hat (And Fedora) do not ship with this kernel build option enabled at this time.

Comment 2 msiddiqu 2020-11-24 10:49:16 UTC

References: 
 
https://www.openwall.com/lists/oss-security/2020/11/05/2

Comment 3 Product Security DevOps Team 2020-11-24 11:33:54 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25669

Comment 4 Michael Kaplan 2021-05-26 13:05:19 UTC

Upstream patch https://github.com/torvalds/linux/commit/77e70d351db7de07a46ac49b87a6c3c7a60fca7e

Note You need to log in before you can comment on or make changes to this bug.