CVE-2020-9391: 
Linux Kernel vulnerability analysis and mitigation

A heap corruption vulnerability (CVE-2020-9391) was discovered in the Linux kernel versions 5.4 and 5.5 through 5.5.6 on the AArch64 architecture. The issue was discovered in February 2020 and occurs when the kernel ignores the top byte in the address passed to the brk system call, potentially moving the memory break downwards when the application expects it to move upwards (CVE, NVD).

The vulnerability stems from an architectural feature of AArch64 where the top byte of a 64-bit pointer is ignored. The Linux kernel versions 5.4 and later ignored the top byte in certain system call arguments, including the brk system call. This behavior could result in moving the brk in the wrong direction (downward instead of upward), causing heap corruption with the GNU C Library malloc implementation. The issue is particularly problematic because it can create address aliases in user-space when the user is unaware of the 56-bit address limit (Openwall, Kernel Commit).

When successfully exploited, this vulnerability can cause heap corruption in applications using the GNU C Library malloc implementation. The issue has a CVSS score of 5.5 (MEDIUM) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating potential for local attacks that could lead to system availability impacts (NetApp Advisory).

The issue was fixed in the Linux kernel through commit dcde237319e626d1ec3c9d8b7613032f0fd4663a, which removes untagging in the brk, mmap, and mremap functions. The fix partially reverts an earlier commit that introduced the issue. Users should upgrade to kernel versions containing this fix (Kernel Commit).