Bug 1757375 (CVE-2017-18550)

Summary: CVE-2017-18550 kernel: information exposure in drivers/scsi/aacraid/commctrl.c
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bdettelb, bhu, blc, brdeoliv, bskeggs, dhoward, dominik.mierzejewski, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jschorr, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, rt-maint, rvrbovsk, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in drivers/scsi/aacraid/commctrl.c in the Linux kernel, where there is potential exposure of kernel stack memory because the aac_get_hba_info function, does not initialize the hbainfo structure. An attacker with relevant permissions can issue ioctl to an aacraid device.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-14 08:09:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1757376    
Bug Blocks: 1757377    

Description Dhananjay Arunesh 2019-10-01 10:43:31 UTC 
An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel. There is potential exposure of kernel stack memory because aac_get_hba_info does not initialize the hbainfo structure.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=342ffc26693b528648bdc9377e51e4f2450b4860
Comment 1 Dhananjay Arunesh 2019-10-01 10:44:03 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1757376]
Comment 2 Justin M. Forbes 2019-10-01 13:51:37 UTC 
This was fixed in upstream kernel 4.13 and has never impacted any still currently supported release of Fedora.
Comment 5 Wade Mealing 2020-02-14 04:48:32 UTC 
Mitigation:

There is no known mitigation to this flaw, preventing users being able to issue an ioctl to this device by removing the relevant permissions to do so will limit the information exposure.
Comment 6 Product Security DevOps Team 2020-02-14 08:09:34 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-18550