ACK: [PATCH 0/1] [SRU] [focal/linux-oem-5.6] CVE-2020-10781: zram oom
Colin Ian King
colin.king at canonical.com
Fri Mar 12 17:48:13 UTC 2021
On 12/03/2021 17:32, Tim Gardner wrote:
> [Impact]
> A flaw was found in the Linux Kernel before 5.8-rc6 in the ZRAM kernel module,
> where a user with a local account and the ability to read the
> /sys/class/zram-control/hot_add file can create ZRAM device nodes in the /dev/
> directory. This read allocates kernel memory and is not accounted for a user
> that triggers the creation of that ZRAM device. With this vulnerability,
> continually reading the device may consume a large amount of system memory
> and cause the Out-of-Memory (OOM) killer to activate and terminate random
> userspace processes, possibly making the system inoperable.
>
> From the Ubuntu security team:
> Luca Bruno discovered that the zram module in the Linux kernel did not properly
> restrict unprivileged users from accessing the hot_add sysfs file. A local
> attacker could use this to cause a denial of service (memory exhaustion).
>
> [Test Case]
> none
>
> [Potential regression]
FYI, this has been renamed to [Where problems could occur] and [Test
Case] to [Test Plan], see:
https://wiki.ubuntu.com/StableReleaseUpdates
..so can that style of template be used in future.
Cherry pick looks good, so..
Acked-by: Colin Ian King <colin.king at canonical.com>
> Released in
> linux-4.14.y
> linux-4.19.y
> linux-5.4.y
> linux-5.7.y
>
>
>
More information about the kernel-team
mailing list