CVE-2020-36385 Overview
CVE-2020-36385 is a use-after-free vulnerability discovered in the Linux kernel before version 5.10. The vulnerability exists in drivers/infiniband/core/ucma.c, where a use-after-free condition occurs because the context (ctx) is reached via the ctx_list in certain ucma_migrate_id situations when ucma_close is called. This flaw is tracked as CID-f5449e74802c.
Critical Impact
A local attacker with user interaction could exploit this use-after-free vulnerability to achieve high confidentiality, integrity, and availability impact, potentially leading to privilege escalation or code execution on affected Linux kernel systems.
Affected Products
- Linux Kernel (versions before 5.10)
- NetApp H-Series Storage Firmware (H300S, H500S, H700S, H300E, H500E, H700E, H410S, H410C)
- StarWind SAN & NAS v8r12
- StarWind Virtual SAN v8 build14338
Discovery Timeline
- 2021-06-07 - CVE-2020-36385 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-36385
Vulnerability Analysis
This use-after-free vulnerability (CWE-416) resides in the Linux kernel's InfiniBand subsystem, specifically within the User Communication Manager Access (UCMA) component. The vulnerability occurs due to improper synchronization between the ucma_migrate_id and ucma_close operations.
When a user-space application performs operations on RDMA (Remote Direct Memory Access) connections through the UCMA interface, the kernel maintains context structures to track connection state. The flaw manifests when ucma_close is called while another thread is iterating through the ctx_list during ucma_migrate_id operations. This race condition allows the context structure to be freed while still being referenced, creating a classic use-after-free scenario.
Successful exploitation requires local access and some user interaction, but can result in complete compromise of confidentiality, integrity, and availability of the affected system. The vulnerability is particularly concerning in environments utilizing InfiniBand for high-performance computing or storage networking.
Root Cause
The root cause of CVE-2020-36385 is insufficient locking and reference counting in the UCMA subsystem when handling concurrent operations on connection contexts. When ucma_close frees a context object, it does not properly ensure that no other threads are still accessing or iterating over the context via the ctx_list. The kernel commit f5449e74802c addresses this by implementing proper synchronization mechanisms to prevent the race condition.
Attack Vector
The attack vector for this vulnerability is local, requiring an attacker to have local access to the system. The exploitation scenario involves:
- An attacker with local access opens RDMA communication channels through the UCMA interface
- The attacker triggers concurrent operations: initiating ucma_migrate_id while simultaneously causing ucma_close to be invoked
- The race condition causes the context structure to be freed while still in use
- By manipulating memory allocation, the attacker can potentially control the freed memory contents
- Subsequent access to the freed context can lead to arbitrary code execution or privilege escalation
The vulnerability manifests in the context list traversal mechanism during migration operations. When ucma_close is called concurrently with ucma_migrate_id, the context may be freed while still being referenced through the ctx_list. For detailed technical analysis, see the Google SyzScope Analysis UCMA Issue and the Syzkaller Bug Report #457491.
Detection Methods for CVE-2020-36385
Indicators of Compromise
- Kernel KASAN (Kernel Address Sanitizer) warnings indicating use-after-free read operations in ucma_close
- Unexpected kernel panics or crashes related to InfiniBand or RDMA subsystems
- Suspicious process activity involving /dev/infiniband/rdma_cm device access
- Memory corruption artifacts in kernel logs referencing the UCMA driver
Detection Strategies
- Enable KASAN in kernel builds to detect memory corruption issues including use-after-free conditions
- Monitor kernel logs for errors or warnings related to ucma_close, ucma_migrate_id, or InfiniBand drivers
- Implement audit rules to track access to RDMA-related device files and system calls
- Deploy endpoint detection solutions capable of monitoring kernel-level memory access patterns
Monitoring Recommendations
- Configure centralized logging to capture kernel messages related to InfiniBand and RDMA subsystems
- Establish baseline behavior for RDMA operations and alert on anomalous patterns
- Monitor for processes making unusual sequences of RDMA-related system calls
- Implement kernel integrity monitoring to detect potential exploitation attempts
How to Mitigate CVE-2020-36385
Immediate Actions Required
- Update Linux kernel to version 5.10 or later where the vulnerability has been patched
- Apply vendor-specific firmware updates for NetApp H-Series storage systems (see NetApp Security Advisory NTAP-20210720-0004)
- Update StarWind SAN & NAS and Virtual SAN products according to StarWind Security Advisory SW-20220802-0002
- If immediate patching is not possible, restrict access to RDMA/InfiniBand functionality to trusted users only
Patch Information
The vulnerability was fixed in Linux kernel version 5.10. The specific patch is identified by commit f5449e74802c1112dea984aec8af7a33c4516af1. Organizations should update to kernel version 5.10 or later to address this vulnerability. The detailed changelog is available at the Linux Changelog for 5.10, and the specific commit can be reviewed at the Linux Kernel Commit f5449e748.
Workarounds
- Disable or unload InfiniBand kernel modules (ib_ucm, rdma_ucm) if RDMA functionality is not required
- Restrict access to /dev/infiniband/ device files using file permissions or SELinux/AppArmor policies
- Implement network segmentation to isolate systems using InfiniBand from untrusted users
- Apply kernel module blacklisting for rdma_ucm on systems where InfiniBand is not needed
# Disable InfiniBand UCMA module if not required
echo "blacklist rdma_ucm" >> /etc/modprobe.d/blacklist-infiniband.conf
echo "blacklist ib_ucm" >> /etc/modprobe.d/blacklist-infiniband.conf
# Remove the module if currently loaded
modprobe -r rdma_ucm
modprobe -r ib_ucm
# Restrict access to InfiniBand device files
chmod 600 /dev/infiniband/*
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
