CVE-2021-20226 – Linux Kernel io_uring Use-After-Free Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2021-20226
A use-after-free flaw was found in the io_uring in Linux kernel, where a local attacker with a user privilege could cause a denial of service problem on the system The issue results from the lack of validating the existence of an object prior to performing operations on the object by not incrementing the file reference counter while in use. The highest threat from this vulnerability is to data integrity, confidentiality and system availability. Se encontró un fallo de uso de la memoria previamente liberada en io_uring en el kernel de Linux, donde un atacante local con un privilegio de usuario podría causar un problema de denegación de servicio en el sistema. El problema resulta de una falta de comprobación de la existencia de un objeto antes de llevar a cabo operaciones en el objeto al no incrementar el contador de referencia de archivo mientras está en uso. La mayor amenaza de esta vulnerabilidad es la integridad de los datos, la confidencialidad y la disponibilidad del sistema This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. • https://bugzilla.redhat.com/show_bug.cgi?id=1873476 https://security.netapp.com/advisory/ntap-20210401-0001 • CWE-416: Use After Free •
CVE-2020-29569
https://notcve.org/view.php?id=CVE-2020-29569
An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. • https://lists.debian.org/debian-lts-announce/2021/02/msg00018.html https://lists.debian.org/debian-lts-announce/2021/03/msg00010.html https://security.gentoo.org/glsa/202107-30 https://security.netapp.com/advisory/ntap-20210205-0001 https://www.debian.org/security/2021/dsa-4843 https://xenbits.xenproject.org/xsa/advisory-350.html • CWE-416: Use After Free •
CVE-2020-27777 – kernel: powerpc: RTAS calls can be used to compromise kernel integrity
https://notcve.org/view.php?id=CVE-2020-27777
A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel. Se encontró un fallo en la manera en que RTAS manejaba los accesos a la memoria en el espacio de usuario para la comunicación del kernel. En un sistema invitado bloqueado (generalmente debido al arranque seguro) que se ejecuta en la parte superior de los hipervisores PowerVM o KVM (plataforma pseries), un usuario root como local podría usar este fallo para aumentar aún más sus privilegios a los de un kernel en ejecución A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel. • https://bugzilla.redhat.com/show_bug.cgi?id=1900844 https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/commit/?h=next&id=bd59380c5ba4147dcbaad3e582b55ccfd120b764 https://www.openwall.com/lists/oss-security/2020/10/09/1 https://www.openwall.com/lists/oss-security/2020/11/23/2 https://access.redhat.com/security/cve/CVE-2020-27777 • CWE-862: Missing Authorization •
CVE-2020-27825
https://notcve.org/view.php?id=CVE-2020-27825
A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux kernel (before 5.10-rc1). There was a race problem in trace_open and resize of cpu buffer running parallely on different cpus, may cause a denial of service problem (DOS). This flaw could even allow a local attacker with special user privilege to a kernel information leak threat. Se encontró un fallo de uso de la memoria previamente liberada en el archivo kernel/trace/ring_buffer.c en el kernel de Linux (anteriores a la versión 5.10-rc1). Se presentó un problema de carrera en trace_open y el cambio de tamaño del búfer de la CPU ejecutándose paralelamente en diferentes CPUs, puede causar un problema de Denegación de Servicio (DOS). • https://bugzilla.redhat.com/show_bug.cgi?id=1905155 https://lists.debian.org/debian-lts-announce/2021/02/msg00018.html https://lists.debian.org/debian-lts-announce/2021/03/msg00010.html https://security.netapp.com/advisory/ntap-20210521-0008 https://www.debian.org/security/2021/dsa-4843 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2020-29660 – kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read-after-free
https://notcve.org/view.php?id=CVE-2020-29660
A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24. Se detectó un problema de inconsistencia de bloqueo en el subsistema tty del kernel de Linux versiones hasta 5.9.13. Los archivos drivers/tty/tty_io.c y drivers/tty/tty_jobctrl.c pueden permitir un ataque de lectura de la memoria previamente liberada contra TIOCGSID, también se conoce como CID-c8bcd9c5be24 A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel. A local user could use this flaw to read numerical value from memory after free. • http://packetstormsecurity.com/files/164950/Kernel-Live-Patch-Security-Notice-LSN-0082-1.html http://www.openwall.com/lists/oss-security/2020/12/10/1 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9 https://lists.debian.org/debian-lts-announce/2021/02/msg00018.html https://lists.debian.org/debian-lts-announce/2021/03/msg00010.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BOB25SU6X • CWE-416: Use After Free CWE-667: Improper Locking •