oss-sec mailing list archives
CVE-2017-14991 in the Linux Kernel: local infoleak via an SG_GET_REQUEST_TABLE ioctl call for /dev/sg0
From: Alexander Potapenko <glider () google com>
Date: Mon, 9 Oct 2017 11:12:08 +0200
Hello, Kernel commit 109bade9c625c89bb5ea753aaa1a0a97e6fbb548 has introduced an infoleak which manifests when the SG_GET_REQUEST_TABLE ioctl is called for /dev/sg0 (see the attached repro). The bug allows local users to obtain sensitive information from uninitialized kernel heap-memory locations. Linux kernels before 4.13.4 are affected. The bug has been found with syzkaller and KMSAN, upstream fix is here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3e0097499839e0fe3af380410eababe5a47c4cf9 -- Alexander Potapenko Software Engineer Google Germany GmbH Erika-Mann-Straße, 33 80636 München Geschäftsführer: Paul Manicle, Halimah DeLaine Prado Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg
Attachment:
sg_ioctl.c
Description:
Current thread:
- CVE-2017-14991 in the Linux Kernel: local infoleak via an SG_GET_REQUEST_TABLE ioctl call for /dev/sg0 Alexander Potapenko (Oct 09)