Lucene search

K
redhatcveRedhat.comRH:CVE-2020-12657
HistoryMay 07, 2020 - 12:40 p.m.

CVE-2020-12657

2020-05-0712:40:19
redhat.com
access.redhat.com
28

0.0004 Low

EPSS

Percentile

13.6%

A flaw was found in the Linux kernel’s implementation of the BFQ IO scheduler. This flaw allows a local user able to groom system memory to cause kernel memory corruption and possible privilege escalation by abusing a race condition in the IO scheduler.

Mitigation

The default io scheduler for Red Hat Enterprise Linux 8 is the mq-deadline scheduler, however it can be
configured to any of the available schedulers available on the system on a per-device basis.

The schedulers in use can be verified by the block devices entry in sysfs, for example for "sda":

cat /sys/block/sda/queue/scheduler

[mq-deadline] kyber bfq none

All block devices in the system will need to be changed to be mitigated. If the system workload requires
bfq, this may not be an acceptable workaround however some systems may find changing io schedulers to be an
acceptable workaround until system updates can be applied.

See <https://access.redhat.com/solutions/3756041&gt; for how to configure the io scheduler persistently across
system reboots or contact Red Hat Global Support Services.