|
Message-ID: <CAG_fn=VEy8E4C4gTC2wZ-FSma5Lh5c5mtxTmhfdFKN_TSjvggQ@mail.gmail.com>
Date: Fri, 8 Jun 2018 19:38:27 +0200
From: Alexander Potapenko <glider@...gle.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2018-1000204: Linux kernel 3.18 to 4.16 infoleak due to incorrect
handling of SG_IO ioctl
Hi all,
Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl
on /dev/sg0 (or any other SCSI device) with
dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp.
This may lead to copying up to 1000 kernel heap pages to the userspace.
See the PoC exploit attached.
This bug has been fixed in the upstream kernel already:
https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824,
and CVE-2018-1000204 has been assigned to it.
The problem has limited scope, as users don't usually have permissions
to access SCSI devices. On the other hand, e.g. the Nero user manual
suggests doing `chmod o+r+w /dev/sg*` to make the devices accessible.
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
View attachment "sg_io_leak.c" of type "text/x-csrc" (1832 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.