There is a use-after-free in kernel versions before 5.5 due to a race condition between the release of ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates a ptp device file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed it can cause an exploitable condition as the process wakes up to terminate and clean all attached files. The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the inode.

🗓️ 25 Sep 2020 07:00:00Reported by MicrosoftType

Use-after-free race in kernel before 5.5 between ptp_clock release and cdev during device removal.

Reporter	Title	Published	Views	Family All 292
IBM Security Bulletins	Security Bulletin: There are multiple vulnerabilities in the Linux Kernel used in IBM Elastic Storage System	25 May 202223:01	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Linux Kernel and Java affect IBM Spectrum Protect Plus	3 Mar 202121:46	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Guardium is affected by kernel vulnerabilities	13 Apr 202116:24	–	ibm
IBM Security Bulletins	Security Bulletin: IBM QRadar SIEM is vulnerable to using components with known vulnerabilities	27 Jan 202100:05	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities	2 Feb 202105:06	–	ibm
CBLMariner	CVE-2020-10690 affecting package kernel 5.4.91-6	3 Mar 202103:44	–	cbl_mariner
Tenable Nessus	CentOS 8 : kernel (CESA-2020:1769)	1 Feb 202100:00	–	nessus
Tenable Nessus	CentOS 7 : kernel (RHSA-2020:4060)	20 Oct 202000:00	–	nessus
Tenable Nessus	Debian DLA-2241-2 : linux security update	10 Jun 202000:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-2514)	14 Dec 202000:00	–	nessus