[SRU X/B/F/G] CVE-2020-27777 Restrict RTAS requests from userspace
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Wed Dec 2 13:24:17 UTC 2020
On Wed, Dec 02, 2020 at 09:16:38AM +0100, Stefan Bader wrote:
> On 01.12.20 21:50, Thadeu Lima de Souza Cascardo wrote:
> > rtas syscall allow userspace to request any RTAS call (firmware services). This
> > should not be unrestricted under lockdown, so filter all requests in any case,
> > to allow only those legitimate requests that might be used by real tools.
> >
>
> Can you explain to someone that does not have the whole history in his head why
> Bionic and Focal only have config changes while Xenial and Groovy need a code
> change?
>
> -Stefan
>
>
Bionic and Focal had the fix backported already coming from the stable tree.
The config has been fixed too by Kamal Mostafa. The only missing piece in those
two trees is the annotations file.
This has not been backported to stable 4.4.y, and 5.8.y is EOL at 5.8.18, so
xenial and groovy needed the patch and config changes.
Cascardo.
More information about the kernel-team
mailing list