CVE-2020-12655
Published: 5 May 2020
An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10. Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767.
From the Ubuntu security team
It was discovered that the XFS file system implementation in the Linux kernel did not properly validate meta data in some circumstances. An attacker could use this to construct a malicious XFS image that, when mounted, could cause a denial of service.
Priority
Medium
CVSS 3 base score: 5.5
Status
| Package | Release | Status |
|---|---|---|
|
linux Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-115.116)
|
| eoan |
Ignored
(reached end-of-life)
|
|
| focal |
Released
(5.4.0-45.49)
|
|
| groovy |
Not vulnerable
(5.8.0-16.17)
|
|
| hirsute |
Not vulnerable
(5.8.0-36.40+21.04.1)
|
|
| precise |
Ignored
(was needed ESM criteria)
|
|
| trusty |
Ignored
(was needed ESM criteria)
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Released
(4.4.0-222.255)
|
|
|
linux-aws Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1080.84)
|
| eoan |
Ignored
(reached end-of-life)
|
|
| focal |
Released
(5.4.0-1022.22)
|
|
| groovy |
Not vulnerable
(5.8.0-1004.4)
|
|
| hirsute |
Not vulnerable
(5.8.0-1018.20+21.04.1)
|
|
| precise |
Does not exist
|
|
| trusty |
Released
(4.4.0-1102.107)
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Released
(4.4.0-1138.152)
|
|
|
linux-aws-5.0 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(was needs-triage now end-of-life)
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-aws-5.3 Launchpad, Ubuntu, Debian |
bionic |
Released
(5.3.0-1033.35)
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-aws-5.4 Launchpad, Ubuntu, Debian |
bionic |
Released
(5.4.0-1022.22~18.04.1)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-aws-hwe Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Released
(4.15.0-1080.84~16.04.1)
|
|
|
linux-azure Launchpad, Ubuntu, Debian |
bionic |
Ignored
(was needs-triage now end-of-life)
|
| eoan |
Ignored
(reached end-of-life)
|
|
| focal |
Released
(5.4.0-1023.23)
|
|
| groovy |
Not vulnerable
(5.8.0-1004.4)
|
|
| hirsute |
Not vulnerable
(5.8.0-1016.17+21.04.1)
|
|
| precise |
Does not exist
|
|
| trusty |
Released
(4.15.0-1093.103~14.04.1)
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Released
(4.15.0-1093.103~16.04.1)
|
|
|
linux-azure-4.15 Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1093.103)
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-azure-5.3 Launchpad, Ubuntu, Debian |
bionic |
Released
(5.3.0-1035.36)
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-azure-5.4 Launchpad, Ubuntu, Debian |
bionic |
Released
(5.4.0-1023.23~18.04.1)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-azure-edge Launchpad, Ubuntu, Debian |
bionic |
Ignored
(was needs-triage now end-of-life)
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-dell300x Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(4.15.0-1005.8)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-gcp Launchpad, Ubuntu, Debian |
bionic |
Ignored
(was needs-triage now end-of-life)
|
| eoan |
Ignored
(reached end-of-life)
|
|
| focal |
Released
(5.4.0-1022.22)
|
|
| groovy |
Not vulnerable
(5.8.0-1002.2)
|
|
| hirsute |
Not vulnerable
(5.8.0-1015.15+21.04.1)
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Released
(4.15.0-1081.92~16.04.1)
|
|
|
linux-gcp-4.15 Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1081.92)
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-gcp-5.3 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(was needed now end-of-life)
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-gcp-5.4 Launchpad, Ubuntu, Debian |
bionic |
Released
(5.4.0-1022.22~18.04.1)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-gcp-edge Launchpad, Ubuntu, Debian |
bionic |
Ignored
(was needs-triage now end-of-life)
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-gke-4.15 Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1067.70)
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-gke-5.0 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(was needed now end-of-life)
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-gke-5.3 Launchpad, Ubuntu, Debian |
bionic |
Released
(5.3.0-1033.35)
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-gke-5.4 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.4.0-1025.25~18.04.1)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-gkeop Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Not vulnerable
(5.4.0-1008.9)
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-gkeop-5.4 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.4.0-1001.1)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-hwe Launchpad, Ubuntu, Debian |
bionic |
Released
(5.3.0-65.59)
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Released
(4.15.0-115.116~16.04.1)
|
|
|
linux-hwe-5.4 Launchpad, Ubuntu, Debian |
bionic |
Released
(5.4.0-45.49~18.04.2)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-hwe-5.8 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Not vulnerable
(5.8.0-23.24~20.04.1)
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-hwe-edge Launchpad, Ubuntu, Debian |
bionic |
Ignored
(was needs-triage now end-of-life)
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Ignored
(was needs-triage now end-of-life)
|
|
|
linux-kvm Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1072.73)
|
| eoan |
Ignored
(reached end-of-life)
|
|
| focal |
Released
(5.4.0-1021.21)
|
|
| groovy |
Not vulnerable
(5.8.0-1001.1)
|
|
| hirsute |
Not vulnerable
(5.8.0-1010.11+21.04.1)
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Released
(4.4.0-1103.112)
|
|
|
linux-lts-trusty Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Ignored
(was needed ESM criteria)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-lts-xenial Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Released
(4.4.0-222.255~14.04.1)
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-oem Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1094.104)
|
| eoan |
Ignored
(reached end-of-life)
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Ignored
(was needs-triage now end-of-life)
|
|
|
linux-oem-5.10 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Not vulnerable
(5.10.0-1008.9)
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-oem-5.6 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| eoan |
Does not exist
|
|
| focal |
Released
(5.6.0-1031.32)
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-oem-osp1 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(was needed now end-of-life)
|
| eoan |
Ignored
(reached end-of-life)
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-oracle Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1051.55)
|
| eoan |
Ignored
(reached end-of-life)
|
|
| focal |
Released
(5.4.0-1022.22)
|
|
| groovy |
Not vulnerable
(5.8.0-1001.1)
|
|
| hirsute |
Not vulnerable
(5.8.0-1014.14+21.04.1)
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Released
(4.15.0-1051.55~16.04.1)
|
|
|
linux-oracle-5.0 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(was needs-triage now end-of-life)
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-oracle-5.3 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(was needed now end-of-life)
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-oracle-5.4 Launchpad, Ubuntu, Debian |
bionic |
Released
(5.4.0-1022.22~18.04.1)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-raspi Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| eoan |
Does not exist
|
|
| focal |
Released
(5.4.0-1016.17)
|
|
| groovy |
Not vulnerable
(5.4.0-1016.17)
|
|
| hirsute |
Not vulnerable
(5.8.0-1008.11+21.04.1)
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-raspi-5.4 Launchpad, Ubuntu, Debian |
bionic |
Released
(5.4.0-1016.17~18.04.1)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-raspi2 Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1068.72)
|
| eoan |
Ignored
(reached end-of-life)
|
|
| focal |
Ignored
(was needs-triage now end-of-life)
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Ignored
(was needed now end-of-life)
|
|
|
linux-raspi2-5.3 Launchpad, Ubuntu, Debian |
bionic |
Released
(5.3.0-1032.34)
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-riscv Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| eoan |
Does not exist
|
|
| focal |
Released
(5.4.0-31.35)
|
|
| groovy |
Not vulnerable
(5.8.0-1.1)
|
|
| hirsute |
Not vulnerable
(5.8.0-10.12+21.04.1)
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-snapdragon Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1084.92)
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.7~rc1)
|
|
| xenial |
Ignored
(was needed now end-of-life)
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12655
- https://git.kernel.org/linus/d0c7feaf87678371c2c09b3709400be416b2dc62 (5.7-rc1)
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d0c7feaf87678371c2c09b3709400be416b2dc62
- https://github.com/torvalds/linux/commit/d0c7feaf87678371c2c09b3709400be416b2dc62
- https://lore.kernel.org/linux-xfs/20200221153803.GP9506@magnolia/
- https://ubuntu.com/security/notices/USN-4465-1
- https://ubuntu.com/security/notices/USN-4483-1
- https://ubuntu.com/security/notices/USN-4485-1
- https://ubuntu.com/security/notices/USN-5343-1
- NVD
- Launchpad
- Debian