Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: CVE-2020-25656: Linux kernel concurrency UAF in vt_do_kdgkb_ioctl

Related Vulnerabilities: CVE-2020-25656  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: CVE-2020-25656: Linux kernel concurrency UAF in vt_do_kdgkb_ioctl

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Greg KH &lt;gregkh () linuxfoundation org&gt;

Date: Fri, 16 Oct 2020 09:03:49 +0200

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On Fri, Oct 16, 2020 at 08:58:34AM +0200, Jiri Slaby wrote:
Cc Greg.

On 16. 10. 20, 5:39, Minh Yuan wrote:
Hi,

We recently discovered a uaf read in vt_do_kdgkb_ioctl from linux kernel
version 3.4 to the latest version (v5.9 for now).

The root cause of this vulnerability is that there exits a race in
KDGKBSENT and KDSKBSENT.

Here are details:
1. use  KDSKBSENT to allocate a lager heap buffer to funcbufptr;
2. use KDGKBSENT to obtain the allocated heap pointer in step1 by
func_table, at the same time, due to KDGKBSENT has no lock, we can use
KDSKBSENT again to allocate a larger buffer than step1, and the old
funcbufptr will be freed. However, we've obtained the heap pointer in
KDGKBSENT, so a uaf read will happen while executing put_user.

Hi,

this is likely the issue I am fixing at:
https://git.kernel.org/pub/scm/linux/kernel/git/jirislaby/linux.git/commit/?h=devel&amp;id=57c85191e788e172a446e34ef77d34473cfb1e8d

I think, it won't apply cleanly as it's a part of a larger set. I will
reorder the patch and send something during the day.

Great, thanks for looking into this!

greg k-h

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

CVE-2020-25656: Linux kernel concurrency UAF in vt_do_kdgkb_ioctl Minh Yuan (Oct 15)

&lt;Possible follow-ups&gt;
Re: CVE-2020-25656: Linux kernel concurrency UAF in vt_do_kdgkb_ioctl Jiri Slaby (Oct 16)

Re: CVE-2020-25656: Linux kernel concurrency UAF in vt_do_kdgkb_ioctl Greg KH (Oct 16)

 

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started