Advertisement






Linux Kernel SG_GET_REQUEST_TABLE ioctl call for /dev/sg0 local infoleak

CVE Category Price Severity
CVE-2018-16884 CWE-200 $5,000 High
Author Risk Exploitation Type Date
Jann Horn High Local 2017-10-10
CPE
cpe:cpe:/o:linux:linux_kernel
CVSS EPSS EPSSP
CVSS:4.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2017100080

Below is a copy:

Linux Kernel SG_GET_REQUEST_TABLE ioctl call for /dev/sg0 local infoleak
When calling SG_GET_REQUEST_TABLE ioctl only a half-filled table is
returned; the remaining part will then contain stale kernel memory
information.  This patch zeroes out the entire table to avoid this
issue.

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -839,7 +839,6 @@ sg_fill_request_table(Sg_fd *sfp, sg_req_info_t *rinfo)
 list_for_each_entry(srp, &sfp->rq_list, entry) {
 if (val > SG_MAX_QUEUE)
 break;
-memset(&rinfo[val], 0, SZ_SG_REQ_INFO);
 rinfo[val].req_state = srp->done + 1;
 rinfo[val].problem =
 srp->header.masked_status &
@@ -1047,8 +1046,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
 else {
 sg_req_info_t *rinfo;
 
-rinfo = kmalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
-GFP_KERNEL);
+rinfo = kzalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
+GFP_KERNEL);
 if (!rinfo)
 return -ENOMEM;
 read_lock_irqsave(&sfp->rq_list_lock, iflags);

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.