CVE-2020-29660: 
Linux Kernel vulnerability analysis and mitigation

A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. The vulnerability (CVE-2020-29660) affects drivers/tty/ttyio.c and drivers/tty/ttyjobctrl.c, which may allow a read-after-free attack against TIOCGSID. The issue was discovered by Jann Horn and disclosed in December 2020 (Kernel Commit, OSS Security).

The vulnerability stems from inconsistent locking of the ->session field in the tty subsystem. Most places protect it using the legacy tty mutex, but certain functions like disassociatectty(), _do_SAK(), tiocspgrp() and tiocgsid() did not implement proper locking. The issue has a CVSS v3.1 Base Score of 4.4 (Medium) with vector AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N (NVD).

On systems with PREEMPT=y enabled, an unprivileged local attacker could potentially exploit this vulnerability to read 4 bytes of freed memory via TIOCGSID if tiocgsid() is preempted at the right point. This could lead to disclosure of sensitive information (kernel memory) or cause a denial of service through system crashes (Ubuntu Security).

The issue was fixed by changing the locking mechanism on ->session such that ttylock() is held by all writers and ctrllock is held by all writers and readers that aren't holding tty_lock(). The fix was implemented in various Linux distributions including Ubuntu, Debian, and Fedora through their respective security updates (Debian Security, Fedora Update).

Multiple vendors and organizations acknowledged and responded to this vulnerability. NetApp rated it as HIGH severity with a CVSS score of 7.8 and provided fixes for affected products (NetApp Advisory). Various Linux distributions treated it as a medium priority security issue and quickly released patches.