oss-sec mailing list archives
CVE-2017-12190: Linux kernel: block: memory leak when merging small consecutive buffers in SCSI IO vectors
From: Vladis Dronov <vdronov () redhat com>
Date: Tue, 10 Oct 2017 12:03:58 -0400 (EDT)
Heololo, Vitaly Mayatskikh has found that bio_map_user_iov() and bio_unmap_user() in 'block/bio.c' do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page() merges them into one, but the page reference is never dropped, causing memory leak. Regarding security affect, the flaw is somewhat useless for an attacker on a local system as it requires SCSI disk to be present, root privileges or RAWIO caps, but this can be quickly turned into a meaningful attack if a SCSI disk is passed through to a virtual machine. An attacker can issue absolutely legit SCSI read/write commands to a disk in his VM, that will make VM's memory pages used for IO to be extra refcounted. Then attacker can power down a VM and the memory will be definitely lost. Few exploit runs with power cycles in between, and the whole host can get OOM. References: https://bugzilla.redhat.com/show_bug.cgi?id=1495089 A reproducer: https://www.mail-archive.com/linux-kernel () vger kernel org/msg1495887.html A proposed patch: https://www.mail-archive.com/linux-kernel () vger kernel org/msg1495884.html The patch for this flaw is not in the Linux kernel upstream at the moment of this writing (Oct 10 2017) and is being discussed, see an ongoing discussion: https://marc.info/?t=150605752800001&r=1&w=2 Best regards, Vladis Dronov | Red Hat, Inc. | Product Security Engineer
Current thread:
- CVE-2017-12190: Linux kernel: block: memory leak when merging small consecutive buffers in SCSI IO vectors Vladis Dronov (Oct 10)