Bug 1179598 - (CVE-2020-29534) VUL-1: CVE-2020-29534: kernel-source: io_uring takes a non-refcounted reference to the files_struct of the process that submitted a request, causing execve() to incorrectly optimize
(CVE-2020-29534)
VUL-1: CVE-2020-29534: kernel-source: io_uring takes a non-refcounted referen...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/272707/
CVSSv3.1:SUSE:CVE-2020-29534:6.2:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-12-04 10:57 UTC by Robert Frohl
Modified: 2022-06-09 10:56 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2020-12-04 10:57:06 UTC
CVE-2020-29534

An issue was discovered in the Linux kernel before 5.9.3. io_uring takes a
non-refcounted reference to the files_struct of the process that submitted a
request, causing execve() to incorrectly optimize unshare_fd(), aka
CID-0f2122045b94.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29534
https://bugs.chromium.org/p/project-zero/issues/detail?id=2089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29534
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.9.3
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0f2122045b946241a9e549c2a76cea54fa58a7ff
Comment 1 Robert Frohl 2020-12-04 10:57:59 UTC
tracking as affected:

- SUSE:SLE-15-SP2:Update/kernel-source
- SUSE:SLE-15-SP3:Update/kernel-source
Comment 3 Marcus Meissner 2020-12-07 07:47:12 UTC
can you judge the impact of this? could this be a reference count based use after free thing or a denial of service due to loops?
Comment 6 Jan Kara 2020-12-08 12:00:48 UTC
Normally, Goldwyn's team should be taking care of io_uring. But let me take a look...

So the fix commit 0f2122045b "io_uring: don't rely on weak ->files references" is marked as 5.5+ and indeed as far as I'm looking into io_uring sources the problem has been introduced by fcb323cc53 "io_uring: io_uring: add support for async work inheriting files" which went to 5.5-rc1. We don't have that commit in any of our trees besides "master" so I don't think there's anything to do from our side.

Reassigning back to security team.
Comment 7 Carlos López 2022-06-09 10:56:22 UTC
Done, closing.