Message ID | 1536951169-22810-1-git-send-email-tyhicks@canonical.com |
---|---|
Headers | show |
Series | CVE-2016-9576 - Arbitrary kernel memory reads/writes in the SCSI driver | expand |
On 14.09.2018 20:52, Tyler Hicks wrote: > https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9576.html > > The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel > before 4.8.14 does not properly restrict the type of iterator, which allows > local users to read or write to arbitrary kernel memory locations or cause > a denial of service (use-after-free) by leveraging access to a /dev/sg > device. > > I've manually tested these patches using the syzkaller reproducer and > sg_dd from sg3-utils inside of a VM with a SCSI drive attached. > > Tyler > > Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 09/14/18 20:52, Tyler Hicks wrote: > https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9576.html > > The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel > before 4.8.14 does not properly restrict the type of iterator, which allows > local users to read or write to arbitrary kernel memory locations or cause > a denial of service (use-after-free) by leveraging access to a /dev/sg > device. > > I've manually tested these patches using the syzkaller reproducer and > sg_dd from sg3-utils inside of a VM with a SCSI drive attached. > > Tyler > > Hi Tyler, The CVE matrix states that commit a0ac402cfcdc ("Don't feed anything but regular iovec's to blk_rq_map_user_iov") is also needed for this CVE. Is it not needed for Trusty? Was 1bc0eb044615 ("scsi: sg: protect accesses to 'reserved' page array") a pre-req for the follow-up fixes? Thanks, Kleber
On 2018-09-28 11:07:17, Kleber Souza wrote: > On 09/14/18 20:52, Tyler Hicks wrote: > > https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9576.html > > > > The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel > > before 4.8.14 does not properly restrict the type of iterator, which allows > > local users to read or write to arbitrary kernel memory locations or cause > > a denial of service (use-after-free) by leveraging access to a /dev/sg > > device. > > > > I've manually tested these patches using the syzkaller reproducer and > > sg_dd from sg3-utils inside of a VM with a SCSI drive attached. > > > > Tyler > > > > > > Hi Tyler, > > The CVE matrix states that commit a0ac402cfcdc ("Don't feed anything but > regular iovec's to blk_rq_map_user_iov") is also needed for this CVE. Is > it not needed for Trusty? > > Was 1bc0eb044615 ("scsi: sg: protect accesses to 'reserved' page array") > a pre-req for the follow-up fixes? It took me a little while to figure out what happened but I've just realized that I mixed up CVE-2016-9576 and CVE-2017-0794 in both the CVE tracker and in this patchset. That made it really difficult to understand the confusion. I'll get all this fixed up in UCT and send out new patchsets. Thanks for catching this mistake. Tyler