oss-sec mailing list archives
Linux Kernel use-after-free in SCSI generic device interface
From: Marcus Meissner <meissner () suse de>
Date: Fri, 9 Dec 2016 00:14:15 +0100
Hi folks, This is CVE-2016-9576. This original post from Dmitry Vyukov <dvyukov @ google . com> has a kasan/syzkaller report: https://marc.info/?l=linux-scsi&m=148010092224801&w=2 https://gist.githubusercontent.com/dvyukov/80cd94b4e4c288f16ee4c787d404118b/raw/10536069562444da51b758bb39655b514ff93b45/gistfile1.txt which in turn turned out to be a kernel memory read or potentially even a kernel memory write, in using the scatter gather write mode of the /dev/sg* scsi generic devices. The affected code is in Linux down to 2.6.something (problem might require splice() to be exploitable). Linus has committed a fix for this to mainline: commit a0ac402cfcdc904f9772e1762b3fda112dcc56a0 Author: Linus Torvalds <torvalds () linux-foundation org> Date: Tue Dec 6 16:18:14 2016 -0800 Don't feed anything but regular iovec's to blk_rq_map_user_iov In theory we could map other things, but there's a reason that function is called "user_iov". Using anything else (like splice can do) just confuses it. Reported-and-tested-by: Johannes Thumshirn <jthumshirn () suse de> Cc: Al Viro <viro () ZenIV linux org uk> Signed-off-by: Linus Torvalds <torvalds () linux-foundation org> Ciao, Marcus
Current thread:
- Linux Kernel use-after-free in SCSI generic device interface Marcus Meissner (Dec 08)
- Re: Linux Kernel use-after-free in SCSI generic device interface Salvatore Bonaccorso (Dec 30)
- Re: Linux Kernel use-after-free in SCSI generic device interface cve-assign (Dec 30)
- Re: Linux Kernel use-after-free in SCSI generic device interface Salvatore Bonaccorso (Dec 30)