Bug 1495089 (CVE-2017-12190) - CVE-2017-12190 kernel: memory leak when merging buffers in SCSI IO vectors
Summary: CVE-2017-12190 kernel: memory leak when merging buffers in SCSI IO vectors
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-12190
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1503580 1503589 1503590 1503591 1503592 1503593 1695822 1695823
Blocks: 1495091
TreeView+ depends on / blocked
 
Reported: 2017-09-25 07:40 UTC by Adam Mariš
Modified: 2023-03-24 13:52 UTC (History)
50 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that in the Linux kernel through v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in 'block/bio.c' do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page() merges them into one, but the page reference is never dropped, causing a memory leak and possible system lockup due to out-of-memory condition.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:26:11 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0654 0 None None None 2018-04-10 05:05:01 UTC
Red Hat Product Errata RHSA-2018:0676 0 None None None 2018-04-10 08:08:06 UTC
Red Hat Product Errata RHSA-2018:1062 0 None None None 2018-04-10 09:31:43 UTC
Red Hat Product Errata RHSA-2018:1854 0 None None None 2018-06-19 04:48:06 UTC
Red Hat Product Errata RHSA-2019:1170 0 None None None 2019-05-14 19:08:22 UTC
Red Hat Product Errata RHSA-2019:1190 0 None None None 2019-05-14 20:26:39 UTC

Description Adam Mariš 2017-09-25 07:40:49 UTC
bio_map_user_iov and bio_unmap_user do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page merges them into one, but the page reference is never dropped, causing memory leak.

References:

http://seclists.org/oss-sec/2017/q4/52

https://bugzilla.suse.com/show_bug.cgi?id=1062568

Discussion:

https://marc.info/?t=150605752800001&r=1&w=2

Proposed patch and reproducer:

https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1495884.html

https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1495887.html

Related upstream commits:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=95d78c28b5a85bacbc29b8dba7c04babb9b0d467

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058

Comment 2 Vladis Dronov 2017-10-18 11:50:17 UTC
Acknowledgments:

Name: Vitaly Mayatskih

Comment 4 Vladis Dronov 2017-10-18 12:25:25 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1503580]

Comment 5 Vladis Dronov 2017-10-18 12:53:33 UTC
Statement:

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5. This is not currently planned to be addressed in future updates of the product due to its life cycle. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG-2. Future updates for the respective releases may address this issue.

Comment 7 Fedora Update System 2017-10-24 05:27:10 UTC
kernel-4.13.8-300.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2017-10-25 21:19:02 UTC
kernel-4.13.8-100.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2017-10-25 23:12:10 UTC
kernel-4.13.8-200.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 errata-xmlrpc 2018-04-10 05:04:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0654 https://access.redhat.com/errata/RHSA-2018:0654

Comment 11 errata-xmlrpc 2018-04-10 08:07:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0676 https://access.redhat.com/errata/RHSA-2018:0676

Comment 12 errata-xmlrpc 2018-04-10 09:31:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1062 https://access.redhat.com/errata/RHSA-2018:1062

Comment 13 errata-xmlrpc 2018-06-19 04:47:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:1854 https://access.redhat.com/errata/RHSA-2018:1854

Comment 15 errata-xmlrpc 2019-05-14 19:08:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:1170 https://access.redhat.com/errata/RHSA-2019:1170

Comment 16 errata-xmlrpc 2019-05-14 20:26:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2019:1190 https://access.redhat.com/errata/RHSA-2019:1190


Note You need to log in before you can comment on or make changes to this bug.