[PATCH 0/3][T] CVE-2016-9576 - Arbitrary kernel memory reads/writes in the SCSI driver
Kleber Souza
kleber.souza at canonical.com
Fri Sep 28 09:07:17 UTC 2018
On 09/14/18 20:52, Tyler Hicks wrote:
> https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9576.html
>
> The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel
> before 4.8.14 does not properly restrict the type of iterator, which allows
> local users to read or write to arbitrary kernel memory locations or cause
> a denial of service (use-after-free) by leveraging access to a /dev/sg
> device.
>
> I've manually tested these patches using the syzkaller reproducer and
> sg_dd from sg3-utils inside of a VM with a SCSI drive attached.
>
> Tyler
>
>
Hi Tyler,
The CVE matrix states that commit a0ac402cfcdc ("Don't feed anything but
regular iovec's to blk_rq_map_user_iov") is also needed for this CVE. Is
it not needed for Trusty?
Was 1bc0eb044615 ("scsi: sg: protect accesses to 'reserved' page array")
a pre-req for the follow-up fixes?
Thanks,
Kleber
More information about the kernel-team
mailing list