CVE-2020-27835 - OpenCVE

A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was found in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

AV:L/AC:L/Au:N/C:N/I:N/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Infiniband Hfi1 Driver
Redhat	Enterprise Linux

Configuration 1 [-]

OR	cpe:2.3:a:linux:infiniband_hfi1_driver::::::::
	cpe:2.3:a:linux:infiniband_hfi1_driver:5.10:rc1::::::
	cpe:2.3:a:linux:infiniband_hfi1_driver:5.10:rc2::::::
	cpe:2.3:a:linux:infiniband_hfi1_driver:5.10:rc3::::::
	cpe:2.3:a:linux:infiniband_hfi1_driver:5.10:rc4::::::
	cpe:2.3:a:linux:infiniband_hfi1_driver:5.10:rc5::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
kernel-rt-0:4.18.0-305.rt7.72.el8	cpe:/a:redhat:enterprise_linux:8::nfv	RHSA-2021:1739	2021-05-18T00:00:00Z
kernel-0:4.18.0-305.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2021:1578	2021-05-18T00:00:00Z

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=1901709
https://nvd.nist.gov/vuln/detail/CVE-2020-27835
https://www.cve.org/CVERecord?id=CVE-2020-27835

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2021-01-07T17:24:30

Updated: 2024-08-04T16:25:43.607Z

Reserved: 2020-10-27T00:00:00

Link: CVE-2020-27835

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-01-07T18:15:13.137

Modified: 2021-01-14T15:12:37.217

Link: CVE-2020-27835

Redhat

Severity : Moderate

Publid Date: 2020-11-25T00:00:00Z

Links: CVE-2020-27835 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "kernel", "vendor": "n/a", "versions": [{"status": "affected", "version": "kernel versions prior to 5.10-rc6"}]}], "descriptions": [{"lang": "en", "value": "A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was found in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "CWE-416", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-07T17:24:30", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901709"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-27835", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "kernel", "version": {"version_data": [{"version_value": "kernel versions prior to 5.10-rc6"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was found in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-416"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1901709", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901709"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:25:43.607Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901709"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-27835", "datePublished": "2021-01-07T17:24:30", "dateReserved": "2020-10-27T00:00:00", "dateUpdated": "2024-08-04T16:25:43.607Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linux:infiniband_hfi1_driver:*:*:*:*:*:*:*:*", "matchCriteriaId": "99E5D6FB-5CEF-430C-81AC-928A9A01B9C6", "versionEndIncluding": "5.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:linux:infiniband_hfi1_driver:5.10:rc1:*:*:*:*:*:*", "matchCriteriaId": "FE97FE96-B356-40E7-B12D-8BAADB9EBB33", "vulnerable": true}, {"criteria": "cpe:2.3:a:linux:infiniband_hfi1_driver:5.10:rc2:*:*:*:*:*:*", "matchCriteriaId": "8D3FC0AE-D981-49AD-8D9E-BEE39489D8B0", "vulnerable": true}, {"criteria": "cpe:2.3:a:linux:infiniband_hfi1_driver:5.10:rc3:*:*:*:*:*:*", "matchCriteriaId": "BCFE51EF-E796-44C1-8A4C-3248AD5EC5B3", "vulnerable": true}, {"criteria": "cpe:2.3:a:linux:infiniband_hfi1_driver:5.10:rc4:*:*:*:*:*:*", "matchCriteriaId": "84989273-E8E5-4296-BC4A-BB543F70FA81", "vulnerable": true}, {"criteria": "cpe:2.3:a:linux:infiniband_hfi1_driver:5.10:rc5:*:*:*:*:*:*", "matchCriteriaId": "5798EA92-2CF5-4BE2-8904-261085662EB5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was found in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system."}, {"lang": "es", "value": "Se encontr\u00f3 un uso de la memoria previamente liberada en el controlador infiniband hfi1 del kernel de Linux en versiones anteriores a 5.10-rc6, en la manera en que el usuario llama una Ioctl despu\u00e9s de abrir el archivo dev y la rama. Un usuario local podr\u00eda usar este fallo para bloquear el sistema"}], "id": "CVE-2020-27835", "lastModified": "2021-01-14T15:12:37.217", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 4.9, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-07T18:15:13.137", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901709"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:1739", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-305.rt7.72.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-05-18T00:00:00Z"}, {"advisory": "RHSA-2021:1578", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-305.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-05-18T00:00:00Z"}], "bugzilla": {"description": "kernel: child process is able to access parent mm through hfi dev file handle", "id": "1901709", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901709"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was found in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system.", "A flaw use after free in the Linux kernel infiniband hfi1 driver was found in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, prevent the module hfi1 from being loaded. Please see https://access.redhat.com/solutions/41278 for information on how to denylist a kernel module to prevent it from loading automatically."}, "name": "CVE-2020-27835", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "kernel-alt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2020-11-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-27835\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-27835"], "statement": "This flaw is rated as having a Moderate impact because the issue can only be triggered by an authorized local user with access to a system with specific hardware present.", "threat_severity": "Moderate", "upstream_fix": "Linux kernel 5.10-rc6"}