Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 Oct 2017 12:03:58 -0400 (EDT)
From: Vladis Dronov <>
Subject: CVE-2017-12190: Linux kernel: block: memory leak when merging small
 consecutive buffers in SCSI IO vectors


Vitaly Mayatskikh has found that bio_map_user_iov() and bio_unmap_user() in
'block/bio.c' do unbalanced pages refcounting if IO vector has small consecutive
buffers belonging to the same page. bio_add_pc_page() merges them into one, but
the page reference is never dropped, causing memory leak.

Regarding security affect, the flaw is somewhat useless for an attacker on
a local system as it requires SCSI disk to be present, root privileges or RAWIO
caps, but this can be quickly turned into a meaningful attack if a SCSI disk is
passed through to a virtual machine. An attacker can issue absolutely legit SCSI
read/write commands to a disk in his VM, that will make VM's memory pages used
for IO to be extra refcounted. Then attacker can power down a VM and the memory
will be definitely lost. Few exploit runs with power cycles in between, and
the whole host can get OOM.


A reproducer:

A proposed patch:

The patch for this flaw is not in the Linux kernel upstream at the moment of
this writing (Oct 10 2017) and is being discussed, see an ongoing discussion:

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.