Allele Security Alert
ASA-2020-00050
Identifier(s)
ASA-2020-00050, CVE-2020-25220
Title
Use-after-free vulnerability in cgroup BPF component
Vendor(s)
Linux foundation
Product(s)
Linux kernel
Affected version(s)
Linux kernel versions 4.19.x before 4.19.140
Linux kernel versions 4.14.x before 4.14.194
Linux kernel versions 4.9.x before 4.9.233
Fixed version(s)
Linux kernel version 4.19.140
Linux kernel version 4.14.194
Linux kernel version 4.9.233
Linux kernel versions since the following commit:
cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f3b1d647251a94a6968a35e3d685dc8b1b24c3ff
Proof of concept
Unknown
Description
The Linux kernel 4.9.x before 4.9.233, 4.14.x before 4.14.194, and 4.19.x before 4.19.140 has a use-after-free because skcd->no_refcnt was not considered during a backport of a CVE-2020-14356 patch.
Technical details
Part of the original fix is the following code:
+void cgroup_sk_clone(struct sock_cgroup_data *skcd)
+{
+ if (skcd->val) {
+ if (skcd->no_refcnt)
+ return;
+ /*
+ * We might be cloning a socket which is left in an empty
+ * cgroup and the cgroup might have already been rmdir'd.
+ * Don't use cgroup_get_live().
+ */
+ cgroup_get(sock_cgroup_ptr(skcd));
+ cgroup_bpf_get(sock_cgroup_ptr(skcd));
+ }
+}
However, backported patch has the following logic:
+void cgroup_sk_clone(struct sock_cgroup_data *skcd)
+{
+ /* Socket clone path */
+ if (skcd->val) {
+ /*
+ * We might be cloning a socket which is left in an empty
+ * cgroup and the cgroup might have already been rmdir'd.
+ * Don't use cgroup_get_live().
+ */
+ cgroup_get(sock_cgroup_ptr(skcd));
+ }
+}
There is a missing check:
+ if (skcd->no_refcnt)
+ return;
Credits
Adam Zabrocki and Brad Spengler
Reference(s)
The short story of 1 Linux Kernel Use-After-Free bug and 2 CVEs (CVE-2020-14356 and CVE-2020-25220)
http://blog.pi3.com.pl/?p=720
cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f3b1d647251a94a6968a35e3d685dc8b1b24c3ff
cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()
https://github.com/torvalds/linux/commit/f3b1d647251a94a6968a35e3d685dc8b1b24c3ff
cgroup: fix cgroup_sk_alloc() for sk_clone_lock()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ad0f75e5f57ccbceec13274e1e242f2b5a6397ed
cgroup: fix cgroup_sk_alloc() for sk_clone_lock()
https://github.com/torvalds/linux/commit/ad0f75e5f57ccbceec13274e1e242f2b5a6397ed
netprio_cgroup: Fix unlimited memory leak of v2 cgroups
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=090e28b229af92dc5b40786ca673999d59e73056
netprio_cgroup: Fix unlimited memory leak of v2 cgroups
https://github.com/torvalds/linux/commit/090e28b229af92dc5b40786ca673999d59e73056
cgroup: duplicate cgroup reference when cloning sockets
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d979a39d7242e0601bf9b60e89628fb8ac577179
cgroup: duplicate cgroup reference when cloning sockets
https://github.com/torvalds/linux/commit/d979a39d7242e0601bf9b60e89628fb8ac577179
sock, cgroup: add sock->sk_cgroup
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bd1060a1d67128bb8fbe2e1384c518912cbe54e7
sock, cgroup: add sock->sk_cgroup
https://github.com/torvalds/linux/commit/bd1060a1d67128bb8fbe2e1384c518912cbe54e7
Linux 4.19.140
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.140
Linux 4.9.233
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.233
Linux 4.14.194
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.194
CVE-2020-25220 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2020-25220
CVE-2020-25220
https://security-tracker.debian.org/tracker/CVE-2020-25220
https://people.canonical.com/~ubuntu-security/cve/CVE-2020-25220.html
CVE-2020-25220 | SUSE
https://www.suse.com/security/cve/CVE-2020-25220
CVE-2020-25220
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25220
CVE-2020-25220
https://nvd.nist.gov/vuln/detail/CVE-2020-25220
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: September 16, 2020