A flaw was found in Linux Kernel, where a race in KDGKBSENT and KDSKBSENT leads to use-after-free read in vt_do_kdgkb_ioctl References: https://groups.google.com/g/syzkaller-bugs/c/kZsmxkpq3UI/m/J35PFexWBgAJ?pli=1
References: https://www.openwall.com/lists/oss-security/2020/10/16/1
List of patches: 1. Older patches (already applied for 5.9 Kernel): https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/drivers/tty/vt/keyboard.c?id=6ca03f90527e499dd5e32d6522909e2ad390896b https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/drivers/tty/vt/keyboard.c?id=82e61c3909db51d91b9d3e2071557b6435018b80 2. Suggested patch for resolving issue: https://lkml.org/lkml/2020/10/29/528
External References: https://lkml.org/lkml/2020/10/29/528 https://lkml.org/lkml/2020/10/16/84
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1897134]
FEDORA-2020-98ccae320c has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2020-e211716d08 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.
Statement: This issue is rated as having Moderate impact because of the attack scenario limitation where only local user with access to VT console if at least CAP_SYS_TTY_CONFIG enabled can trigger this issue.
For triggering the bug, user needs privileges. At least "CAP_SYS_TTY_CONFIG" needs to be enabled, but this is not the only precondition. As far as I know, there is no known way today for triggering this until CONFIG_KASAN enabled (that is parameter for runtime memory debugger and usually disabled for production systems). Means that if parameter CONFIG_KASAN not enabled for the kernel (for rhel* by default disabled), then the bug happens silently (without kernel crash) since read use-after-free usually not easily triggerable.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:0856 https://access.redhat.com/errata/RHSA-2021:0856
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:0857 https://access.redhat.com/errata/RHSA-2021:0857
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25656
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:2950 https://access.redhat.com/errata/RHSA-2024:2950
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3138 https://access.redhat.com/errata/RHSA-2024:3138