Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 8 Jun 2018 19:38:27 +0200
From: Alexander Potapenko <glider@...gle.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2018-1000204: Linux kernel 3.18 to 4.16 infoleak due to incorrect
 handling of SG_IO ioctl

Hi all,

Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl
on /dev/sg0 (or any other SCSI device) with
dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp.
This may lead to copying up to 1000 kernel heap pages to the userspace.
See the PoC exploit attached.

This bug has been fixed in the upstream kernel already:
https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824,
and CVE-2018-1000204 has been assigned to it.

The problem has limited scope, as users don't usually have permissions
to access SCSI devices. On the other hand, e.g. the Nero user manual
suggests doing `chmod o+r+w /dev/sg*` to make the devices accessible.

-- 
Alexander Potapenko
Software Engineer

Google Germany GmbH
Erika-Mann-Straße, 33
80636 München

Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg

View attachment "sg_io_leak.c" of type "text/x-csrc" (1832 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.