oss-sec mailing list archives

CVE-2021-20200: Linux kernel: close race between munmap() and expand_upwards()/downwards()

From: Rohit Keshri <rkeshri () redhat com>
Date: Wed, 10 Feb 2021 20:34:37 +0530

Hello Team,

A use-after-free flaw may be seen due to a race problem while in
detach_vmas_to_be_unmapped() in mm/mmap.c in VMA access while
munmap(). This flaw could allow a local attacker with a user privilege
to crash the system, because VMA with VM_GROWSDOWN or VM_GROWSUP flag
set may change their size under mmap_read_lock(). This vulnerability
could even lead to a kernel information leak problem.


'CVE-2021-20200' was assigned by Red Hat.

References:
https://bugs.chromium.org/p/project-zero/issues/detail?id=2056
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=246c320a8cfe0b11d81a4af38fa9985ef0cc9a4c

Thanks and Regards
..
Rohit Keshri / Red Hat Product Security Team
PGP: OX01BC 858A 07B7 15C8 EF33 BFE2 2EEB 0CBC 84A4 4C2D

secalert () redhat com for urgent response

Current thread:

CVE-2021-20200: Linux kernel: close race between munmap() and expand_upwards()/downwards() Rohit Keshri (Feb 10)
- Re: CVE-2021-20200: Linux kernel: close race between munmap() and expand_upwards()/downwards() Alexandros Toptsoglou (Feb 10)
  - Re: CVE-2021-20200: Linux kernel: close race between munmap() and expand_upwards()/downwards() Rohit Keshri (Feb 19)