An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950. Reference and upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5d069dbe8aaf2a197142558b6fb2978189ba3454
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1949561]
This was fixed for Fedora with the 5.10.6 stable kernel updates.
Mitigation: As the FUSE module will be auto-loaded when required, its use can be disabled by preventing the module from loading with the following instructions: # echo "install fuse /bin/true" >> /etc/modprobe.d/disable-fuse.conf The system will need to be restarted if the FUSE modules are loaded. In most circumstances, the CIFS kernel modules will be unable to be unloaded while the FUSE filesystems are in use. If the system requires this module to work correctly, this mitigation may not be suitable. If you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services.
External References: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5d069dbe8aaf2a197142558b6fb2978189ba3454
Statement: This issue affected Linux kernel versions as shipped with Red Hat Enterprise Linux from 8.3 and prior the versions. RHEL 8.4 and later versions are not affected.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1578 https://access.redhat.com/errata/RHSA-2021:1578
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-36322
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0078 https://access.redhat.com/errata/RHSA-2022:0078
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0072 https://access.redhat.com/errata/RHSA-2022:0072
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:0063 https://access.redhat.com/errata/RHSA-2022:0063
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:0065 https://access.redhat.com/errata/RHSA-2022:0065