CVE-2017-12190: Linux kernel: block: memory leak when merging small consecutive buffers in SCSI IO vectors

[Vladis Dronov <vdronov () redhat com>]

Heololo,

Vitaly Mayatskikh has found that bio_map_user_iov() and bio_unmap_user() in
'block/bio.c' do unbalanced pages refcounting if IO vector has small consecutive
buffers belonging to the same page. bio_add_pc_page() merges them into one, but
the page reference is never dropped, causing memory leak.

Regarding security affect, the flaw is somewhat useless for an attacker on
a local system as it requires SCSI disk to be present, root privileges or RAWIO
caps, but this can be quickly turned into a meaningful attack if a SCSI disk is
passed through to a virtual machine. An attacker can issue absolutely legit SCSI
read/write commands to a disk in his VM, that will make VM's memory pages used
for IO to be extra refcounted. Then attacker can power down a VM and the memory
will be definitely lost. Few exploit runs with power cycles in between, and
the whole host can get OOM.

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1495089

A reproducer:

https://www.mail-archive.com/linux-kernel () vger kernel org/msg1495887.html

A proposed patch:

https://www.mail-archive.com/linux-kernel () vger kernel org/msg1495884.html

The patch for this flaw is not in the Linux kernel upstream at the moment of
this writing (Oct 10 2017) and is being discussed, see an ongoing discussion:

https://marc.info/?t=150605752800001&r=1&w=2

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer