Bug 1589324 (CVE-2018-1000204)
Summary: | CVE-2018-1000204 kernel: Infoleak caused by incorrect handling of the SG_IO ioctl | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | airlied, aquini, bhu, blc, bskeggs, dhoward, ewk, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jglisse, jkacur, jmoyer, john.j5live, jonathan, josef, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, rt-maint, rvrbovsk, security-response-team, skozina, steved, vdronov, williams, wmealing |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A malformed SG_IO ioctl issued for a SCSI device in the Linux kernel leads to a local kernel data leak manifesting in up to approximately 1000 memory pages copied to the userspace. The problem has limited scope as non-privileged users usually have no permissions to access SCSI device files.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:28:30 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1589688, 1592371 | ||
Bug Blocks: | 1589326 |
Description
Pedro Sampaio
2018-06-08 17:12:29 UTC
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1589688] This was fixed for Fedora with the 4.16.12 stable updates. (In reply to Pedro Sampaio from comment #0) > A malformed SG_IO ioctl issued for a SCSI device in the Linux kernel leads > to a local kernel data leak manifesting in up to approx. 1000 memory pages > copied to the userspace. The problem has limited scope, as non-privileged > users usually have no permissions to access SCSI device files. ^^^^^^^ The allocation will be zeroed if the user doesn't have the right capabilities: if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO)) gfp_mask |= __GFP_ZERO; The justification for this as a security issue was that documentation guided users to chmod the sg device to be world writeable. That isn't enough to cause a data leak. I'd say this is not a security issue at all. If you have CAP_SYS_ADMIN or CAP_SYS_RAWIO, it's game over already. > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/ > ?id=a45b599ad808c3c982fdcdc12b0b8611c2f92824 And this patch was poorly done, IMO. Here's the follow-up I sent upstream: https://marc.info/?l=linux-scsi&m=152933023515279&w=2 (In reply to Jeff Moyer from comment #7) > The justification for this as a security issue was that documentation guided > users to chmod the sg device to be world writeable. That isn't enough to > cause a data leak. Indeed, thank you Jeff for mentioning this. So a data leak is possible only when a user is granted CAP_SYS_ADMIN or CAP_SYS_RAWIO (not in the namespaces) and it is not root. Which makes an attack surface and a security impact quite small. We are going to adjust a security impact of this flaw to Low. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:2948 |