Bug 1908249 (CVE-2021-20200) - CVE-2021-20200 kernel: close race between munmap() and expand_upwards()/downwards()
Summary: CVE-2021-20200 kernel: close race between munmap() and expand_upwards()/downw...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-20200
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1923527 1923528 1923529 1923530 1923604 1927204 1927205 1927206 1927207 1927208 1927213 1927214 1927215 1927216 1927217 1927218 1927219 1927220 1927221 1927222 1927223 1927224 1927225 1927226 1927228 1927229 1927300 1927308 1929970
Blocks: 1878928 1921679
TreeView+ depends on / blocked
 
Reported: 2020-12-16 08:22 UTC by Dhananjay Arunesh
Modified: 2023-01-26 21:13 UTC (History)
62 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. A race condition in mm/mmap.c in VMA access could allow a local attacker with user privileges to crash the system or lead to information leakage. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-02-20 15:18:18 UTC
Embargoed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2020-12-16 08:22:10 UTC
A use-after-free flaw may be seen due to a race problem while in detach_vmas_to_be_unmapped() in mm/mmap.c in VMA access while munmap(). This flaw could allow a local attacker with a user privilege to crash the system, because VMA with VM_GROWSDOWN or VM_GROWSUP flag set may change their size under mmap_read_lock(). This vulnerability could even lead to a kernel information leak problem.

References:
https://bugs.chromium.org/p/project-zero/issues/detail?id=2056
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=246c320a8cfe0b11d81a4af38fa9985ef0cc9a4c
https://redhat.service-now.com/surl.do?n=INC1430424

Comment 6 Rohit Keshri 2021-02-01 17:24:01 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 13 Salvatore Bonaccorso 2021-02-10 19:44:09 UTC
Hi

The CVE-2021-20200 is a duplicate AFAICS from an already assigned CVE-2020-29369.

See https://bugs.chromium.org/p/project-zero/issues/detail?id=2056 where it was assigned.

Regards,
Salvatore

Comment 14 Salvatore Bonaccorso 2021-02-10 21:19:25 UTC
For reference see as well: https://bugzilla.redhat.com/show_bug.cgi?id=1903262

Comment 16 Rohit Keshri 2021-02-16 05:33:43 UTC
In reply to comment #13:
> Hi
> 
> The CVE-2021-20200 is a duplicate AFAICS from an already assigned
> CVE-2020-29369.
> 
> See https://bugs.chromium.org/p/project-zero/issues/detail?id=2056 where it
> was assigned.
> 
> Regards,
> Salvatore

Hello Salvatore, thank you for this information. 

After reviewing the source, It has come to our attention that this is a duplicate of CVE-2020-29369 which is already there, and we are revoking this.

Regards,
Rohit

Comment 21 Rohit Keshri 2021-02-20 15:18:28 UTC
Statement:

Red Hat Product Security does not consider this to be a vulnerability.


Note You need to log in before you can comment on or make changes to this bug.