Bug 1891114 (CVE-2020-27675) - CVE-2020-27675 kernel: xen: race condition in event-channel removal during the event-handling loop (XSA-331)
Summary: CVE-2020-27675 kernel: xen: race condition in event-channel removal during th...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-27675
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1891115
Blocks: 1891116
TreeView+ depends on / blocked
 
Reported: 2020-10-23 19:44 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-10-29 20:22 UTC (History)
46 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-26 15:58:13 UTC
Embargoed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-10-23 19:44:49 UTC
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. drivers/xen/events/events_base.c allows event-channel removal during the event-handling loop (a race condition). This can cause a use-after-free or NULL pointer dereference, as demonstrated by a dom0 crash via events for an in-reconfiguration paravirtualized device, aka CID-073d0552ead5.

Reference:
https://xenbits.xen.org/xsa/advisory-331.html

Upstream patch:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=073d0552ead5bfc7a3a9c01de590e924f11b5dd2

Comment 1 Guilherme de Almeida Suckevicz 2020-10-23 19:45:54 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1891115]


Note You need to log in before you can comment on or make changes to this bug.