Date: Fri, 9 Dec 2016 00:14:15 +0100 From: Marcus Meissner <meissner@...e.de> To: OSS Security List <oss-security@...ts.openwall.com> Subject: Linux Kernel use-after-free in SCSI generic device interface Hi folks, This is CVE-2016-9576. This original post from Dmitry Vyukov <dvyukov @ google . com> has a kasan/syzkaller report: https://marc.info/?l=linux-scsi&m=148010092224801&w=2 https://gist.githubusercontent.com/dvyukov/80cd94b4e4c288f16ee4c787d404118b/raw/10536069562444da51b758bb39655b514ff93b45/gistfile1.txt which in turn turned out to be a kernel memory read or potentially even a kernel memory write, in using the scatter gather write mode of the /dev/sg* scsi generic devices. The affected code is in Linux down to 2.6.something (problem might require splice() to be exploitable). Linus has committed a fix for this to mainline: commit a0ac402cfcdc904f9772e1762b3fda112dcc56a0 Author: Linus Torvalds <torvalds@...ux-foundation.org> Date: Tue Dec 6 16:18:14 2016 -0800 Don't feed anything but regular iovec's to blk_rq_map_user_iov In theory we could map other things, but there's a reason that function is called "user_iov". Using anything else (like splice can do) just confuses it. Reported-and-tested-by: Johannes Thumshirn <jthumshirn@...e.de> Cc: Al Viro <viro@...IV.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org> Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.