Bug 1183400 - (CVE-2021-20261) VUL-0: CVE-2021-20261: kernel-source,kernel-source-azure,kernel-source-rt: panic on multiple access to floppy device
VUL-0: CVE-2021-20261: kernel-source,kernel-source-azure,kernel-source-rt: pa...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2021-03-11 15:18 UTC by Robert Frohl
Modified: 2022-06-09 08:35 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-03-11 15:18:14 UTC

A race condition was found in the Linux kernels implementation of the floppy disk drive controller driver software.  The impact of this issue is lessened by the fact that the default permissions on the floppy device (/dev/fd0) are restricted to root.  If the permissions on the device have changed the impact changes greatly.  In the default configuration root (or equivalent) permissions are required to attack this flaw.

From: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a0c80efe5956ccce9fe7ae5c78542578c07bc20a

"In case of multiple threads trying to open("/dev/fdX"), this leads to serious corruptions all over the place, because all of a sudden there is no critical section protection (that'd otherwise be guaranteed by lockedfd) whatsoever."

It is likely that this memory corruption will at minimum crash the system, at worse corrupt memory and lead to possible privilege escalation.

Fixed in: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a0c80efe5956ccce9fe7ae5c78542578c07bc20a

Comment 1 Robert Frohl 2021-03-11 15:31:12 UTC
this is a bit hard to judge, but I think all codestream are affected.

I could have made a mistake with the kernel configs though. Please correct me if this is wrong.
Comment 2 Takashi Iwai 2021-03-12 13:51:28 UTC
The fix is in 4.5 kernel, and already backported to cve/linux-4.4.
So at most the backport is needed to cve/linux-3.0 and older branches.
Comment 3 Takashi Iwai 2021-03-12 14:19:00 UTC
I backported to cve/linux-3.0 and cve/linux-3.12.
cve/linux-2.6.32 and cve/linux-2.6.16 need significant amount of modifications.
Comment 4 Takashi Iwai 2021-03-12 14:36:45 UTC
The fix backported to both cve/linux-2.6.32 and cve/linux-2.6.16 branches, too.

Reassigned back to security team.
Comment 6 Swamp Workflow Management 2021-05-12 13:17:07 UTC
SUSE-SU-2021:14724-1: An update that solves 11 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1056134,1180963,1182715,1182716,1182717,1183400,1183696,1184120,1184194,1184198,1184208,1184211,1184393
CVE References: CVE-2020-35519,CVE-2020-36322,CVE-2021-20261,CVE-2021-27363,CVE-2021-27364,CVE-2021-27365,CVE-2021-28950,CVE-2021-28972,CVE-2021-29650,CVE-2021-30002,CVE-2021-3483
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    kernel-bigmem-3.0.101-108.126.1, kernel-default-3.0.101-108.126.1, kernel-ec2-3.0.101-108.126.1, kernel-pae-3.0.101-108.126.1, kernel-ppc64-3.0.101-108.126.1, kernel-source-3.0.101-108.126.1, kernel-syms-3.0.101-108.126.1, kernel-trace-3.0.101-108.126.1, kernel-xen-3.0.101-108.126.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-default-3.0.101-108.126.1, kernel-pae-3.0.101-108.126.1, kernel-ppc64-3.0.101-108.126.1, kernel-trace-3.0.101-108.126.1, kernel-xen-3.0.101-108.126.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-bigmem-3.0.101-108.126.1, kernel-default-3.0.101-108.126.1, kernel-ec2-3.0.101-108.126.1, kernel-pae-3.0.101-108.126.1, kernel-ppc64-3.0.101-108.126.1, kernel-trace-3.0.101-108.126.1, kernel-xen-3.0.101-108.126.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Carlos López 2022-06-09 08:35:38 UTC
Done, closing.