Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 10 Oct 2017 12:03:58 -0400 (EDT)
From: Vladis Dronov <vdronov@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2017-12190: Linux kernel: block: memory leak when merging small
 consecutive buffers in SCSI IO vectors

Heololo,

Vitaly Mayatskikh has found that bio_map_user_iov() and bio_unmap_user() in
'block/bio.c' do unbalanced pages refcounting if IO vector has small consecutive
buffers belonging to the same page. bio_add_pc_page() merges them into one, but
the page reference is never dropped, causing memory leak.

Regarding security affect, the flaw is somewhat useless for an attacker on
a local system as it requires SCSI disk to be present, root privileges or RAWIO
caps, but this can be quickly turned into a meaningful attack if a SCSI disk is
passed through to a virtual machine. An attacker can issue absolutely legit SCSI
read/write commands to a disk in his VM, that will make VM's memory pages used
for IO to be extra refcounted. Then attacker can power down a VM and the memory
will be definitely lost. Few exploit runs with power cycles in between, and
the whole host can get OOM.

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1495089

A reproducer:

https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1495887.html

A proposed patch:

https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1495884.html

The patch for this flaw is not in the Linux kernel upstream at the moment of
this writing (Oct 10 2017) and is being discussed, see an ongoing discussion:

https://marc.info/?t=150605752800001&r=1&w=2

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.