Date: Fri, 8 Jun 2018 19:38:27 +0200 From: Alexander Potapenko <glider@...gle.com> To: oss-security@...ts.openwall.com Subject: CVE-2018-1000204: Linux kernel 3.18 to 4.16 infoleak due to incorrect handling of SG_IO ioctl Hi all, Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 (or any other SCSI device) with dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel heap pages to the userspace. See the PoC exploit attached. This bug has been fixed in the upstream kernel already: https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824, and CVE-2018-1000204 has been assigned to it. The problem has limited scope, as users don't usually have permissions to access SCSI devices. On the other hand, e.g. the Nero user manual suggests doing `chmod o+r+w /dev/sg*` to make the devices accessible. -- Alexander Potapenko Software Engineer Google Germany GmbH Erika-Mann-Straße, 33 80636 München Geschäftsführer: Paul Manicle, Halimah DeLaine Prado Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg View attachment "sg_io_leak.c" of type "text/x-csrc" (1832 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ