CVE-2020-29660 Overview
CVE-2020-29660 is a locking inconsistency vulnerability in the tty subsystem of the Linux kernel through version 5.9.13. The flaw resides in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c, where inconsistent locking around the TIOCGSID ioctl enables a read-after-free condition [CWE-416]. A local attacker with access to a tty can race the kernel into reading freed memory, potentially disclosing sensitive kernel data. The issue was fixed in commit c8bcd9c5be24 in the upstream Linux kernel tree.
Critical Impact
Local attackers can exploit the use-after-free condition in TIOCGSID handling to read freed kernel memory, potentially leading to information disclosure of sensitive kernel state.
Affected Products
- Linux kernel through 5.9.13
- Debian Linux 9.0 and 10.0; Fedora 32 and 33
- NetApp SolidFire BMC, H410c, A700s, A400, AFF 8300/8700 firmware; NetApp Active IQ Unified Manager for VMware vSphere; Broadcom Fabric Operating System
Discovery Timeline
- 2020-12-09 - CVE-2020-29660 published to NVD
- 2020-12-10 - Public disclosure on the OpenWall oss-security mailing list
- 2021-01-22 - NetApp publishes security advisory ntap-20210122-0001
- 2021-02 / 2021-03 - Debian LTS and DSA-4843 security updates released
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-29660
Vulnerability Analysis
The vulnerability is a use-after-free [CWE-416] in the Linux kernel tty subsystem triggered through the TIOCGSID ioctl. The TIOCGSID operation returns the session ID associated with a controlling terminal. Inconsistent locking between drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c allows the tty_struct and its related session data to be freed by one thread while another thread is still dereferencing it.
Exploitation requires local access and an authenticated user able to open a tty device and issue ioctls. The impact is constrained to confidentiality, with no direct integrity or availability effect. Because the bug yields a read primitive over freed slab memory, attackers can chain it with heap-spray techniques to leak addresses and weaken Kernel Address Space Layout Randomization (KASLR), enabling subsequent privilege escalation chains.
Root Cause
The root cause is a missing or inconsistent lock acquisition on the path that reads the tty session field. One code path holds tty->ctrl_lock while another path reads the same data without holding the lock, allowing a concurrent close or hangup to free the underlying object. The upstream fix in commit c8bcd9c5be24 standardizes locking around session ID access so that reads observe a consistent, non-freed state.
Attack Vector
An unprivileged local user opens a pseudo-terminal or controlling tty, then races two threads: one issuing ioctl(fd, TIOCGSID, &sid) and another forcing the controlling tty to be released. Successful timing of the race causes the TIOCGSID handler to read attacker-controlled or stale memory from a freed slab object. The freed memory can be reallocated with attacker-shaped data using common kernel heap-spraying primitives.
No verified public proof-of-concept code is referenced in the advisory data. See the Linux Kernel Commit c8bcd9c and the OpenWall OSS Security Post for technical specifics of the fix.
Detection Methods for CVE-2020-29660
Indicators of Compromise
- Unprivileged processes performing repeated ioctl() calls with the TIOCGSID request number against /dev/pts/* or /dev/tty* devices.
- Concurrent open(), setsid(), and close() operations on tty devices from the same low-privileged user, characteristic of race-condition exploitation.
- Kernel oops or slab corruption messages in dmesg referencing tty_jobctrl.c, tiocgsid, or tty_struct.
Detection Strategies
- Inventory hosts running vulnerable kernels (Linux 5.9.13 and earlier, unpatched Debian 9/10, Fedora 32/33) using package and uname -r queries.
- Audit ioctl syscall telemetry with eBPF or auditd rules focused on tty-related request codes from non-root users.
- Correlate slab allocator warnings (SLUB, KASAN) in kernel logs with the issuing process and parent shell.
Monitoring Recommendations
- Forward dmesg and /var/log/kern.log to a centralized log platform and alert on KASAN, use-after-free, or general protection fault events involving tty paths.
- Track per-user ioctl rates against tty character devices and alert on bursts indicative of race-window probing.
- Maintain a kernel version inventory and flag systems lagging behind the patched baselines listed in the vendor advisories.
How to Mitigate CVE-2020-29660
Immediate Actions Required
- Apply the kernel update containing upstream commit c8bcd9c5be24 for your distribution, prioritizing multi-tenant and shell-accessible systems.
- Update Debian systems via DSA-4843 and the corresponding Debian LTS announcements.
- Update Fedora 32/33 hosts using the published Fedora package announcement.
- Apply NetApp firmware updates as listed in NetApp advisory ntap-20210122-0001 for SolidFire BMC, H410c, A700s, A400, and AFF 8300/8700 platforms.
Patch Information
The upstream fix is Linux kernel commit c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9, which corrects locking around session ID reads in the tty job control code. Distribution-specific backports are available via Debian DSA-4843, Debian LTS updates from February and March 2021, Fedora package announcements for Fedora 32 and 33, and Ubuntu Kernel Live Patch LSN-0082-1 referenced on Packet Storm. NetApp shipped fixed firmware bundles for affected storage and management appliances.
Workarounds
- Restrict interactive shell and pseudo-terminal access on production systems to trusted, authenticated administrators only.
- Apply kernel live patches such as Ubuntu LSN-0082-1 where immediate reboots are not feasible.
- Where supported, enable Linux kernel hardening options such as slab_nomerge and init_on_free=1 to reduce the reliability of heap-spray-based use-after-free exploitation.
# Verify the running kernel and confirm patched version on Debian/Ubuntu
uname -r
apt-get update && apt-get install --only-upgrade linux-image-$(uname -r | sed 's/[^-]*-[^-]*-//')
# Verify on Fedora
uname -r
dnf update kernel kernel-core kernel-modules
# Optional hardening (add to GRUB_CMDLINE_LINUX in /etc/default/grub)
GRUB_CMDLINE_LINUX="slab_nomerge init_on_free=1"
update-grub
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
