1903262 – (CVE-2020-29369) CVE-2020-29369 kernel: race condition between expand_downwards and expand_upwards and page-table free operations from an munmap call

Bug 1903262 (CVE-2020-29369) - CVE-2020-29369 kernel: race condition between expand_downwards and expand_upwards and page-table free operations from an munmap call

Summary: CVE-2020-29369 kernel: race condition between expand_downwards and expand_upw...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-29369
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1903263 1903473 1903474 1903475 1903476 1903477 1903478 1903479 1903480 1903481 1903482 1903484 1903485 1903486 1903487 1903488 1903489 1903490 1903491 1903492 1903493 1903494 1903495
Blocks:	1903264
TreeView+	depends on / blocked

Reported:	2020-12-01 17:39 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-02-16 18:48 UTC (History)
CC List:	54 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Linux kernel. A race condition between certain expand functions and page-table free operations from an munmap call leading to ... FIXME. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed:	2020-12-07 15:36:09 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-12-01 17:39:43 UTC

An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call.

Reference:
https://bugs.chromium.org/p/project-zero/issues/detail?id=2056

Upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=246c320a8cfe0b11d81a4af38fa9985ef0cc9a4c

Comment 1 Guilherme de Almeida Suckevicz 2020-12-01 17:40:32 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1903263]

Comment 6 Wade Mealing 2020-12-02 08:15:40 UTC

Mitigation:


There is no mitigation available at this time.  Red Hat is investigating a kpatch as an option to fix this issue on kpatch supported streams.

Comment 8 Justin M. Forbes 2020-12-02 14:20:28 UTC

This was fixed for Fedora with the 5.7.11 stable kernel updates.

Comment 15 Wade Mealing 2020-12-03 03:35:12 UTC

Removing needinfo as I think most of them are no longer relevant.

Note You need to log in before you can comment on or make changes to this bug.

acaringi
adscvr
airlied
aquini
asavkov
bhu
blc
bmasney
brdeoliv
bskeggs
dhoward
dvlasenk
esammons
fhrbata
hdegoede
hkrzesin
iboverma
itamar
jarodwilson
jeremy
jforbes
jglisse
jlelli
joe.lawrence
jonathan
josef
jpoimboe
jross
jshortt
jstancek
jthierry
jwboyer
kcarcia
kernel-maint
kernel-mgr
kpatch-maint
lgoncalv
linville
masami256
mchehab
mcressma
mjg59
mlangsdo
nmurray
ptalbert
qzhao
rhandlin
rt-maint
rvrbovsk
steved
walters
williams
wmealing
ycote