Red Hat Bugzilla – Bug 1403145
CVE-2016-9576 kernel: Use after free in SCSI generic device interface
Last modified: 2018-08-28 18:11:06 EDT
Use-after-free vulnerability in SCSI generic device interface has been reported which allows kernel memory read/write when having access to /dev/sg* SCSI generic devices. This issue affects versions of Linux down to 2.6. This was assigned CVE-2016-9576. Initial message: https://www.spinics.net/lists/linux-scsi/msg102232.html Upstream patch: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a0ac402cfcdc904f9772e1762b3fda112dcc56a0 Oss-security post: http://seclists.org/oss-sec/2016/q4/644 Later an additional fix was developed, it was assigned CVE-2016-10088, see: https://bugzilla.redhat.com/show_bug.cgi?id=1412210
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1403146]
Statement: This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 as the code which can trigger the flaw is not present in the products listed. This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG-2. Future Linux kernel updates for the respective releases might address this issue.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:0817 https://rhn.redhat.com/errata/RHSA-2017-0817.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2077 https://access.redhat.com/errata/RHSA-2017:2077
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:1842 https://access.redhat.com/errata/RHSA-2017:1842
This issue has been addressed in the following products: Red Hat Enterprise MRG 2 Via RHSA-2017:2669 https://access.redhat.com/errata/RHSA-2017:2669