Bug 1901709 (CVE-2020-27835) - CVE-2020-27835 kernel: child process is able to access parent mm through hfi dev file handle
Summary: CVE-2020-27835 kernel: child process is able to access parent mm through hfi ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-27835
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1879586 1906122 1906123 1906124 1906125 1906126 1906127
Blocks: 1887365
TreeView+ depends on / blocked
 
Reported: 2020-11-25 20:28 UTC by Dhananjay Arunesh
Modified: 2021-06-24 11:51 UTC (History)
40 users (show)

Fixed In Version: Linux kernel 5.10-rc6
Doc Type: If docs needed, set a value
Doc Text:
A flaw use after free in the Linux kernel infiniband hfi1 driver was found in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system.
Clone Of:
Environment:
Last Closed: 2021-05-18 20:37:21 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:2538 0 None None None 2021-06-23 18:06:14 UTC
Red Hat Product Errata RHBA-2021:2541 0 None None None 2021-06-24 11:51:30 UTC

Description Dhananjay Arunesh 2020-11-25 20:28:13 UTC
A vulnerability was found in kernel, where Intel OPA Gen1 adapter" (CONFIG_INFINIBAND_HFI1) for Kernel versions after these two commits
     e0cf75deab81 ("IB/hfi1: Fix mm_struct use after free")
     3faa3d9a308e ("IB/hfi1: Make use of mm consistent")
, there is a potential problem where if a child process with access to the parents file handle calls an IOCTL or write or close, the value of the mm will be that of the parent, not the child process. This can lead to use-after-free security issue.

Comment 6 Alex 2020-12-09 17:37:42 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1906122]

Comment 9 Justin M. Forbes 2020-12-09 17:58:07 UTC
This was fixed for Fedora with the 5.9.12 stable kernel updates.

Comment 11 Petr Matousek 2020-12-17 12:08:36 UTC
Statement:

This flaw is rated as having a Moderate impact because the issue can only be triggered by an authorized local user with access to a system with specific hardware present.

Comment 12 Eric Christensen 2021-02-17 20:19:25 UTC
Mitigation:

To mitigate this issue, prevent the module hfi1 from being loaded. Please see https://access.redhat.com/solutions/41278 for information on how to denylist a kernel module to prevent it from loading automatically.

Comment 13 errata-xmlrpc 2021-05-18 13:20:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1578 https://access.redhat.com/errata/RHSA-2021:1578

Comment 14 errata-xmlrpc 2021-05-18 14:41:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1739 https://access.redhat.com/errata/RHSA-2021:1739

Comment 15 Product Security DevOps Team 2021-05-18 20:37:21 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-27835


Note You need to log in before you can comment on or make changes to this bug.