Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1403145 (CVE-2016-9576) - CVE-2016-9576 kernel: Use after free in SCSI generic device interface
Summary: CVE-2016-9576 kernel: Use after free in SCSI generic device interface
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-9576
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1403146 1414823 1414834 1414835 1414836 1414837
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-09 08:40 UTC by Adam Mariš
Modified: 2021-02-17 02:54 UTC (History)
37 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that the blk_rq_map_user_iov() function in the Linux kernel's block device implementation did not properly restrict the type of iterator, which could allow a local attacker to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging write access to a /dev/sg device.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:04:08 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:3163 0 normal SHIPPED_LIVE new packages: kernel-alt 2017-11-09 14:59:25 UTC
Red Hat Product Errata RHSA-2017:0817 0 normal SHIPPED_LIVE Moderate: kernel security, bug fix, and enhancement update 2017-03-21 13:06:51 UTC
Red Hat Product Errata RHSA-2017:1842 0 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2017-08-01 18:22:09 UTC
Red Hat Product Errata RHSA-2017:2077 0 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2017-08-01 18:13:37 UTC
Red Hat Product Errata RHSA-2017:2669 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2017-09-07 00:36:52 UTC

Description Adam Mariš 2016-12-09 08:40:42 UTC
Use-after-free vulnerability in SCSI generic device interface has been reported which allows kernel memory read/write when having access to /dev/sg* SCSI generic devices. This issue affects versions of Linux down to 2.6. This was assigned CVE-2016-9576.

Initial message:

https://www.spinics.net/lists/linux-scsi/msg102232.html

Upstream patch:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a0ac402cfcdc904f9772e1762b3fda112dcc56a0

Oss-security post:

http://seclists.org/oss-sec/2016/q4/644

Later an additional fix was developed, it was assigned CVE-2016-10088, see:

https://bugzilla.redhat.com/show_bug.cgi?id=1412210

Comment 1 Adam Mariš 2016-12-09 08:42:13 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1403146]

Comment 8 Vladis Dronov 2017-01-19 15:22:47 UTC
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 as the code which can trigger the flaw is not present in the products listed.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG-2. Future Linux kernel updates for the respective releases might address this issue.

Comment 11 errata-xmlrpc 2017-03-21 13:46:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0817 https://rhn.redhat.com/errata/RHSA-2017-0817.html

Comment 13 errata-xmlrpc 2017-08-01 19:11:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2077 https://access.redhat.com/errata/RHSA-2017:2077

Comment 14 errata-xmlrpc 2017-08-02 07:51:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1842 https://access.redhat.com/errata/RHSA-2017:1842

Comment 15 errata-xmlrpc 2017-09-06 20:39:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2017:2669 https://access.redhat.com/errata/RHSA-2017:2669


Note You need to log in before you can comment on or make changes to this bug.