CVE-2020-10690

Description

There is a use-after-free in kernel versions before 5.5 due to a race condition between the release of ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates a ptp device file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed, it can cause an exploitable condition as the process wakes up to terminate and clean all attached files. The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the inode.

CVSS Metrics

• v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
• v3.1•MEDIUM•Score: 6.4CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
• v2.0•MEDIUM•Score: 4.4AV:L/AC:M/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.13%• Percentile: 32%

Techniques & Countermeasures

• CWE-416•Use After Free

  The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Affected Systems

• canonical•ubuntu_linux

  14.04 | 16.04

• debian•debian_linux

  8.0

• linux•linux_kernel

  < 5.5

• netapp•active_iq_unified_manager

  na

• netapp•element_software

  na

• netapp•h300e

  na

• netapp•h300s_firmware

  na

• netapp•h410c_firmware

  na

• netapp•h410s_firmware

  na

• netapp•h500e

  na

• netapp•h500s_firmware

  na

• netapp•h610c_firmware

  na

• netapp•h610s_firmware

  na

• netapp•h615c_firmware

  na

• netapp•h700e

  na

• netapp•h700s_firmware

  na

• netapp•hci_compute_node_firmware

  na

• netapp•hci_management_node

  na

• netapp•solidfire

  na

• netapp•steelstore_cloud_integrated_storage

  na

• opensuse•leap

  15.1

• red hat•kernel

  all kernel versions before 5.5

• redhat•enterprise_linux

  7.0 | 8.0

References (6)

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10690
• https://security.netapp.com/advisory/ntap-20200608-0001/
• https://lists.debian.org/debian-lts-announce/2020/06/msg00011.html
• https://lists.debian.org/debian-lts-announce/2020/06/msg00013.html
• http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00022.html
• https://usn.ubuntu.com/4419-1/