[PATCH 0/3][T] CVE-2016-9576 - Arbitrary kernel memory reads/writes in the SCSI driver
Tyler Hicks
tyhicks at canonical.com
Fri Sep 14 18:52:46 UTC 2018
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9576.html
The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel
before 4.8.14 does not properly restrict the type of iterator, which allows
local users to read or write to arbitrary kernel memory locations or cause
a denial of service (use-after-free) by leveraging access to a /dev/sg
device.
I've manually tested these patches using the syzkaller reproducer and
sg_dd from sg3-utils inside of a VM with a SCSI drive attached.
Tyler
More information about the kernel-team
mailing list