一、漏洞信息
漏洞编号:CVE-2020-29374
漏洞归属组件:kernel
漏洞归属的版本:4.19.90,4.19.138
CVSS V3.0分值:
BaseScore:7.0 High
Vector:CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
漏洞简述:
An issue was discovered in the Linux kernel before 5.7.3, related to mm/gup.c and mm/huge_memory.c. The get_user_pages (aka gup) implementation, when used for a copy-on-write page, does not properly consider the semantics of read operations and therefore can grant unintended write access, aka CID-17839856fd58.
漏洞公开时间:2020-11-28
漏洞创建时间:2020-12-11 15:31:02
漏洞详情参考链接:
https://nvd.nist.gov/vuln/detail/CVE-2020-29374
漏洞分析指导链接:
https://gitee.com/openeuler/cve-manager/blob/master/doc/md/manual.md
二、漏洞分析结构反馈
影响性分析说明:
An issue was discovered in the Linux kernel before 5.7.3, related to mm/gup.c and mm/huge_memory.c. The get_user_pages (aka gup) implementation, when used for a copy-on-write page, does not properly consider the semantics of read operations and therefore can grant unintended write access, aka CID-17839856fd58.
openEuler评分:
3.6
Vector:CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
受影响版本排查(受影响/不受影响):
1.openEuler-20.03-LTS:受影响
2.openEuler-20.03-LTS-SP1:受影响
3.openEuler-20.03-LTS-SP2:受影响
修复是否涉及abi变化(是/否):
1.openEuler-20.03-LTS:
2.openEuler-20.03-LTS-SP1:
3.openEuler-20.03-LTS-SP2:
@weiyj ,@Xie XiuQi ,@YangYingliang
issue处理注意事项:
1. 当前issue受影响的分支提交pr时, 须在pr描述中填写当前issue编号进行关联, 否则无法关闭当前issue;
2. 模板内容需要填写完整, 无论是受影响或者不受影响都需要填写完整内容, 否则无法关闭当前issue;
3. 以下为模板中需要填写完整的内容, 请复制到评论区回复, 注: 内容的标题名称(影响性分析说明, openEuler评分, 受影响版本排查(受影响/不受影响))不能省略,省略后cve-manager将无法正常解析填写内容.
影响性分析说明:
openEuler评分: (评分和向量)
受影响版本排查(受影响/不受影响):
1.openEuler-20.03-LTS:
2.openEuler-20.09:
issue处理具体操作请参考:
https://gitee.com/openeuler/cve-manager/blob/master/doc/md/manual.md
pr关联issue具体操作请参考:
https://gitee.com/help/articles/4142
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
Hey openeuler-ci-bot, Welcome to openEuler Community.
All of the projects in openEuler Community are maintained by @openeuler-ci-bot.
That means the developers can comment below every pull request or issue to trigger Bot Commands.
Please follow instructions at https://gitee.com/openeuler/community/blob/master/en/sig-infrastructure/command.md to find the details.
背景:当前内核中的COW存在漏洞,可能导致两个存在cow关系的进程之间信息泄露
触发场景:当前cow存在漏洞,如果两个进程之前存在过fork上的联系(父子关系/兄弟关系等),那么攻击进程可以通过将对应的page引用计数变为0的方法看到被攻击进程的私有数据
参考社区给出的复现方法进行解析,简化为如下步骤(https://bugs.chromium.org/p/project-zero/issues/detail?id=2045)。其主要原理是:vmsplice通过gup获取到page关联到管道fd,该page不会随着cow发生变化,也就是拿到的是原始的页,这样子进程mumap后,还是可以通过管道拿到原始页(父进程共享)的信息。
影响性分析说明:
An issue was discovered in the Linux kernel before 5.7.3, related to mm/gup.c and mm/huge_memory.c. The get_user_pages (aka gup) implementation, when used for a copy-on-write page, does not properly consider the semantics of read operations and therefore can grant unintended write access, aka CID-17839856fd58.
openEuler评分:
3.6
受影响版本排查(受影响/不受影响):
@liujingang09 ,@Yang.Li ,@yanxiaobing2020 ,@zhujianwei001 ,@guoxiaoqi ,@gwei3 ,@jinjin The CVE score needs to be reviewed (the review instruction /approve&/reject means agreement and rejection).
openEuler评分:
7.0
Vector:CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
@gwei3 修复是否涉及abi变化(是/否): 没有分析或未按正确格式填写:openEuler-20.03-LTS:,openEuler-20.03-LTS-SP1:,openEuler-20.03-LTS-SP2:
openEuler评分:
3.6
Vector:CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
@gwei3 修复是否涉及abi变化(是/否): 没有分析或未按正确格式填写:openEuler-20.03-LTS:,openEuler-20.03-LTS-SP1:,openEuler-20.03-LTS-SP2:
目前上游已经有修复补丁,是否需要重启该cve的修复,谢谢
@wuyankun 当前issue状态为: 已挂起,请先修改issue状态, 否则评论无法被识别.
@wuyankun 当前issue状态为: 已挂起,请先修改issue状态, 否则评论无法被识别.
登录 后才可以发表评论