[0/3,T] CVE-2016-9576 - Arbitrary kernel memory reads/writes in the SCSI driver

Message ID	1536951169-22810-1-git-send-email-tyhicks@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Tyler Hicks <tyhicks@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [PATCH 0/3][T] CVE-2016-9576 - Arbitrary kernel memory reads/writes in the SCSI driver Date: Fri, 14 Sep 2018 18:52:46 +0000 Message-Id: <1536951169-22810-1-git-send-email-tyhicks@canonical.com> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	CVE-2016-9576 - Arbitrary kernel memory reads/writes in the SCSI driver \| expand [0/3,T] CVE-2016-9576 - Arbitrary kernel memory reads/writes in the SCSI driver [1/3] scsi: sg: protect accesses to 'reserved' page array [2/3] scsi: sg: reset 'res_in_use' after unlinking reserved array [3/3] scsi: sg: recheck MMAP_IO request length with lock held

Message ID

1536951169-22810-1-git-send-email-tyhicks@canonical.com

Headers

From: Tyler Hicks <tyhicks@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 0/3][T] CVE-2016-9576 - Arbitrary kernel memory reads/writes
	in the SCSI driver
Date: Fri, 14 Sep 2018 18:52:46 +0000
Message-Id: <1536951169-22810-1-git-send-email-tyhicks@canonical.com>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

CVE-2016-9576 - Arbitrary kernel memory reads/writes in the SCSI driver | expand

Message

Tyler Hicks Sept. 14, 2018, 6:52 p.m. UTC

https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9576.html

 The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel
 before 4.8.14 does not properly restrict the type of iterator, which allows
 local users to read or write to arbitrary kernel memory locations or cause
 a denial of service (use-after-free) by leveraging access to a /dev/sg
 device.

I've manually tested these patches using the syzkaller reproducer and
sg_dd from sg3-utils inside of a VM with a SCSI drive attached.

Tyler

Comments

Stefan Bader Sept. 27, 2018, 4:42 p.m. UTC | #1

On 14.09.2018 20:52, Tyler Hicks wrote:
> https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9576.html
> 
>  The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel
>  before 4.8.14 does not properly restrict the type of iterator, which allows
>  local users to read or write to arbitrary kernel memory locations or cause
>  a denial of service (use-after-free) by leveraging access to a /dev/sg
>  device.
> 
> I've manually tested these patches using the syzkaller reproducer and
> sg_dd from sg3-utils inside of a VM with a SCSI drive attached.
> 
> Tyler
> 
> 
Acked-by: Stefan Bader <stefan.bader@canonical.com>

Kleber Sacilotto de Souza Sept. 28, 2018, 9:07 a.m. UTC | #2

On 09/14/18 20:52, Tyler Hicks wrote:
> https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9576.html
> 
>  The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel
>  before 4.8.14 does not properly restrict the type of iterator, which allows
>  local users to read or write to arbitrary kernel memory locations or cause
>  a denial of service (use-after-free) by leveraging access to a /dev/sg
>  device.
> 
> I've manually tested these patches using the syzkaller reproducer and
> sg_dd from sg3-utils inside of a VM with a SCSI drive attached.
> 
> Tyler
> 
> 

Hi Tyler,

The CVE matrix states that commit a0ac402cfcdc ("Don't feed anything but
regular iovec's to blk_rq_map_user_iov") is also needed for this CVE. Is
it not needed for Trusty?

Was 1bc0eb044615 ("scsi: sg: protect accesses to 'reserved' page array")
a pre-req for the follow-up fixes?

Thanks,
Kleber

Tyler Hicks Sept. 28, 2018, 2:59 p.m. UTC | #3

On 2018-09-28 11:07:17, Kleber Souza wrote:
> On 09/14/18 20:52, Tyler Hicks wrote:
> > https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9576.html
> > 
> >  The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel
> >  before 4.8.14 does not properly restrict the type of iterator, which allows
> >  local users to read or write to arbitrary kernel memory locations or cause
> >  a denial of service (use-after-free) by leveraging access to a /dev/sg
> >  device.
> > 
> > I've manually tested these patches using the syzkaller reproducer and
> > sg_dd from sg3-utils inside of a VM with a SCSI drive attached.
> > 
> > Tyler
> > 
> > 
> 
> Hi Tyler,
> 
> The CVE matrix states that commit a0ac402cfcdc ("Don't feed anything but
> regular iovec's to blk_rq_map_user_iov") is also needed for this CVE. Is
> it not needed for Trusty?
> 
> Was 1bc0eb044615 ("scsi: sg: protect accesses to 'reserved' page array")
> a pre-req for the follow-up fixes?

It took me a little while to figure out what happened but I've just
realized that I mixed up CVE-2016-9576 and CVE-2017-0794 in both the CVE
tracker and in this patchset. That made it really difficult to
understand the confusion.

I'll get all this fixed up in UCT and send out new patchsets. Thanks for
catching this mistake.

Tyler