CVE-2020-10690
kernel: use-after-free in cdev_put() when a PTP device is removed while it's chardev is open
Severity Score
Exploit Likelihood
Affected Versions
24Public Exploits
0Exploited in Wild
-Decision
Descriptions
There is a use-after-free in kernel versions before 5.5 due to a race condition between the release of ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates a ptp device file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed, it can cause an exploitable condition as the process wakes up to terminate and clean all attached files. The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the inode.
Se presenta un uso de la memoria previamente liberada en kernel versiones anteriores a 5.5, debido a una condición de carrera entre la liberación de ptp_clock y cdev durante la desasignación de recursos. Cuando un proceso (muy privilegiado) asigna un archivo de dispositivo ptp (como /dev/ptpX) y voluntariamente se va a dormir. Durante este tiempo, si el dispositivo subyacente es removido, puede causar una condición explotable a medida que el proceso se activa para terminar y limpiar todos los archivos adjuntos. El sistema se bloquea debido a que la estructura cdev no está siendo válida (ya que se ha liberado), lo cual señala el inode.
There is a use-after-free problem seen due to a race condition between the release of ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates a ptp device file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed, it can cause an exploitable condition as the process wakes up to terminate and clean all attached files. The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the inode.
It was discovered that a race condition existed in the Precision Time Protocol implementation in the Linux kernel, leading to a use-after- free vulnerability. A local attacker could possibly use this to cause a denial of service or possibly execute arbitrary code. Matthew Sheets discovered that the SELinux network label handling implementation in the Linux kernel could be coerced into de-referencing a NULL pointer. A remote attacker could use this to cause a denial of service. Various other issues were also addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-03-20 CVE Reserved
- 2020-05-08 CVE Published
- 2024-08-04 CVE Updated
- 2025-03-18 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-416: Use After Free
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2020/0... | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2020/0... | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20200608-... | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2020-... | 2023-11-07 | |
| https://usn.ubuntu.com/4419-1 | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2020-10690 | 2020-09-29 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1817141 | 2020-09-29 |