CVE-2020-29372 Overview
CVE-2020-29372 is a race condition vulnerability in the Linux kernel affecting versions prior to 5.6.8. The flaw resides in do_madvise within mm/madvise.c, where a race occurs between coredump operations and the IORING_OP_MADVISE implementation in io_uring. A local, low-privileged attacker can trigger the race condition to cause kernel-level availability impact. The fix is tracked as commit bc0c4d1e176e in the upstream Linux kernel tree. Linux distributions including Ubuntu 14.04 ESM, 16.04 LTS, 18.04 LTS, and 20.04 LTS received backported patches via live patch advisories.
Critical Impact
A local attacker with low privileges can exploit the race between coredump handling and IORING_OP_MADVISE to cause kernel-level denial of service through memory state corruption.
Affected Products
- Linux kernel versions prior to 5.6.8
- Canonical Ubuntu Linux 14.04 ESM, 16.04 LTS, 18.04 LTS, and 20.04 LTS
- Distributions shipping vulnerable kernels with io_uring enabled
Discovery Timeline
- 2020-11-28 - CVE-2020-29372 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-29372
Vulnerability Analysis
The vulnerability is classified as a race condition [CWE-362] in the Linux kernel memory management subsystem. The do_madvise function in mm/madvise.c lacked proper synchronization between two concurrent code paths: the coredump operation, which manipulates the target process address space, and the asynchronous IORING_OP_MADVISE opcode submitted through the io_uring interface. When both paths execute against the same memory mappings without serialization, the kernel reaches an inconsistent state. The condition requires local access and specific timing, but does not require authentication beyond a standard user account capable of issuing io_uring requests.
Root Cause
The IORING_OP_MADVISE implementation invoked do_madvise on a target mm_struct without holding mmap_sem in a way that excluded coredump operations. The coredump path concurrently traverses and reads the process address space. Without coordination, advice operations such as MADV_DONTNEED could free or modify pages while the coredump path iterated VMAs, producing undefined behavior in the memory descriptor.
Attack Vector
Exploitation requires local access to a vulnerable host and the ability to invoke io_uring syscalls. An attacker triggers a coredump in a process while concurrently submitting IORING_OP_MADVISE operations targeting that process's memory. Winning the race produces kernel-side corruption that manifests as a denial-of-service condition. The race window is narrow, reflected in the high attack complexity rating, but is reachable from unprivileged userspace where io_uring is exposed.
No verified public proof-of-concept code is available. Technical details and the upstream fix are documented in the Linux Kernel Commit Reference and the Chromium Project Zero Issue.
Detection Methods for CVE-2020-29372
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing do_madvise, madvise_vma, or io_uring worker threads in dmesg and /var/log/kern.log
- Crashed processes producing coredumps coincident with active io_uring workloads from non-privileged users
- Unusual rates of io_uring_setup and io_uring_enter syscalls from interactive user sessions
Detection Strategies
- Audit running kernel versions across the fleet and flag hosts running Linux kernels below 5.6.8 without backported patches
- Enable auditd rules for io_uring_setup, io_uring_enter, and madvise syscalls to correlate suspicious sequences with crash events
- Monitor for processes invoking IORING_OP_MADVISE against PIDs that are concurrently generating coredumps
Monitoring Recommendations
- Centralize kernel ring buffer and syslog data to identify repeated kernel faults originating from the memory management subsystem
- Track kernel.core_pattern activity and correlate with userspace io_uring usage to surface anomalous patterns
- Establish baselines for io_uring adoption per host so deviations by non-developer accounts are visible
How to Mitigate CVE-2020-29372
Immediate Actions Required
- Upgrade the Linux kernel to version 5.6.8 or later, or apply the distribution-supplied backport that includes commit bc0c4d1e176e
- For Ubuntu hosts, apply the Kernel Live Patch referenced in the Packet Storm Security Notice (LSN-0075-1)
- Inventory systems exposing io_uring to untrusted local users and prioritize patching
Patch Information
The upstream fix is included in the Linux 5.6.8 stable release, documented in the Linux Changelog for 5.6.8. The corrective commit is bc0c4d1e176eeb614dc8734fc3ace34292771f11, which adjusts locking around do_madvise to serialize against coredump operations. Canonical addressed the issue across Ubuntu 14.04 ESM through 20.04 LTS via live patch updates.
Workarounds
- Disable io_uring for unprivileged users by setting kernel.io_uring_disabled=2 on kernels that support the sysctl, or rebuild without CONFIG_IO_URING where feasible
- Restrict local shell access on multi-tenant systems to reduce the population able to trigger the race
- Apply seccomp filters in container runtimes and sandboxes to block io_uring_setup and io_uring_enter for workloads that do not require them
# Verify kernel version and apply mitigations
uname -r
# Restrict io_uring for unprivileged users (where supported)
echo 'kernel.io_uring_disabled = 2' | sudo tee /etc/sysctl.d/99-io-uring.conf
sudo sysctl --system
# Example seccomp denial of io_uring syscalls in container runtime
# (add to seccomp profile)
# { "names": ["io_uring_setup", "io_uring_enter", "io_uring_register"],
# "action": "SCMP_ACT_ERRNO" }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
