NAK: [PATCH 0/3][T] CVE-2016-9576 - Arbitrary kernel memory reads/writes in the SCSI driver
Tyler Hicks
tyhicks at canonical.com
Fri Sep 28 14:59:04 UTC 2018
On 2018-09-28 11:07:17, Kleber Souza wrote:
> On 09/14/18 20:52, Tyler Hicks wrote:
> > https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9576.html
> >
> > The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel
> > before 4.8.14 does not properly restrict the type of iterator, which allows
> > local users to read or write to arbitrary kernel memory locations or cause
> > a denial of service (use-after-free) by leveraging access to a /dev/sg
> > device.
> >
> > I've manually tested these patches using the syzkaller reproducer and
> > sg_dd from sg3-utils inside of a VM with a SCSI drive attached.
> >
> > Tyler
> >
> >
>
> Hi Tyler,
>
> The CVE matrix states that commit a0ac402cfcdc ("Don't feed anything but
> regular iovec's to blk_rq_map_user_iov") is also needed for this CVE. Is
> it not needed for Trusty?
>
> Was 1bc0eb044615 ("scsi: sg: protect accesses to 'reserved' page array")
> a pre-req for the follow-up fixes?
It took me a little while to figure out what happened but I've just
realized that I mixed up CVE-2016-9576 and CVE-2017-0794 in both the CVE
tracker and in this patchset. That made it really difficult to
understand the confusion.
I'll get all this fixed up in UCT and send out new patchsets. Thanks for
catching this mistake.
Tyler
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180928/cfdfe159/attachment.sig>
More information about the kernel-team
mailing list