Date: Tue, 10 Oct 2017 12:03:58 -0400 (EDT) From: Vladis Dronov <vdronov@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2017-12190: Linux kernel: block: memory leak when merging small consecutive buffers in SCSI IO vectors Heololo, Vitaly Mayatskikh has found that bio_map_user_iov() and bio_unmap_user() in 'block/bio.c' do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page() merges them into one, but the page reference is never dropped, causing memory leak. Regarding security affect, the flaw is somewhat useless for an attacker on a local system as it requires SCSI disk to be present, root privileges or RAWIO caps, but this can be quickly turned into a meaningful attack if a SCSI disk is passed through to a virtual machine. An attacker can issue absolutely legit SCSI read/write commands to a disk in his VM, that will make VM's memory pages used for IO to be extra refcounted. Then attacker can power down a VM and the memory will be definitely lost. Few exploit runs with power cycles in between, and the whole host can get OOM. References: https://bugzilla.redhat.com/show_bug.cgi?id=1495089 A reproducer: https://email@example.com/msg1495887.html A proposed patch: https://firstname.lastname@example.org/msg1495884.html The patch for this flaw is not in the Linux kernel upstream at the moment of this writing (Oct 10 2017) and is being discussed, see an ongoing discussion: https://marc.info/?t=150605752800001&r=1&w=2 Best regards, Vladis Dronov | Red Hat, Inc. | Product Security Engineer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.