CVE-2020-29374 — LOW (3.6) — White Hats Nepal

Q: How severe is CVE-2020-29374?

CVE-2020-29374 has been rated LOW with a CVSS base score of 3.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-29374?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Debian Debian Linux, Netapp 500F Firmware, Netapp 500F, Netapp A250 Firmware.

Vulnerability Description

An issue was discovered in the Linux kernel before 5.7.3, related to mm/gup.c and mm/huge_memory.c. The get_user_pages (aka gup) implementation, when used for a copy-on-write page, does not properly consider the semantics of read operations and therefore can grant unintended write access, aka CID-17839856fd58.

CVSS Score

3.6

LOW

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Linux	Linux Kernel	< 5.7.3
Debian	Debian Linux	9.0
Netapp	500F Firmware	-
Netapp	500F	-
Netapp	A250 Firmware	-
Netapp	A250	-
Netapp	H410C Firmware	-
Netapp	H410C	-
Netapp	Solidfire \& Hci Management Node	-
Netapp	Solidfire \& Hci Storage Node	-
Netapp	Hci Compute Node Bios	-

Related Weaknesses (CWE)

CWE-362 CWE-863

References

http://packetstormsecurity.com/files/162117/Kernel-Live-Patch-Security-Notice-LSExploitThird Party AdvisoryVDB Entry
https://bugs.chromium.org/p/project-zero/issues/detail?id=2045ExploitIssue TrackingThird Party Advisory
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.7.3Release NotesThird Party AdvisoryVendor Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=17PatchVendor Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00019.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00020.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00012.htmlMailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20210115-0002/Third Party Advisory
https://www.debian.org/security/2022/dsa-5096Third Party Advisory
http://packetstormsecurity.com/files/162117/Kernel-Live-Patch-Security-Notice-LSExploitThird Party AdvisoryVDB Entry
https://bugs.chromium.org/p/project-zero/issues/detail?id=2045ExploitIssue TrackingThird Party Advisory
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.7.3Release NotesThird Party AdvisoryVendor Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=17PatchVendor Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00019.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00020.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2020-29374?

CVE-2020-29374 is a vulnerability with a CVSS score of 3.6 (LOW). An issue was discovered in the Linux kernel before 5.7.3, related to mm/gup.c and mm/huge_memory.c. The get_user_pages (aka gup) implementation, when used for a copy-on-write page, does not properly c...

How severe is CVE-2020-29374?

CVE-2020-29374 has been rated LOW with a CVSS base score of 3.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-29374?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Debian Debian Linux, Netapp 500F Firmware, Netapp 500F, Netapp A250 Firmware.