Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1495089 - (CVE-2017-12190) CVE-2017-12190 kernel: memory leak when merging buffers in SCSI IO vectors
CVE-2017-12190 kernel: memory leak when merging buffers in SCSI IO vectors
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170921,repor...
: Security
Depends On: 1503591 1503580 1503589 1503590 1503592 1503593
Blocks: 1495091
  Show dependency treegraph
 
Reported: 2017-09-25 03:40 EDT by Adam Mariš
Modified: 2018-08-28 18:22 EDT (History)
50 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that in the Linux kernel through v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in 'block/bio.c' do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page() merges them into one, but the page reference is never dropped, causing a memory leak and possible system lockup due to out-of-memory condition.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0654 None None None 2018-04-10 01:05 EDT
Red Hat Product Errata RHSA-2018:0676 None None None 2018-04-10 04:08 EDT
Red Hat Product Errata RHSA-2018:1062 None None None 2018-04-10 05:31 EDT
Red Hat Product Errata RHSA-2018:1854 None None None 2018-06-19 00:48 EDT

  None (edit)
Description Adam Mariš 2017-09-25 03:40:49 EDT
bio_map_user_iov and bio_unmap_user do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page merges them into one, but the page reference is never dropped, causing memory leak.

References:

http://seclists.org/oss-sec/2017/q4/52

https://bugzilla.suse.com/show_bug.cgi?id=1062568

Discussion:

https://marc.info/?t=150605752800001&r=1&w=2

Proposed patch and reproducer:

https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1495884.html

https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1495887.html

Related upstream commits:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=95d78c28b5a85bacbc29b8dba7c04babb9b0d467

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058
Comment 2 Vladis Dronov 2017-10-18 07:50:17 EDT
Acknowledgments:

Name: Vitaly Mayatskih
Comment 4 Vladis Dronov 2017-10-18 08:25:25 EDT
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1503580]
Comment 5 Vladis Dronov 2017-10-18 08:53:33 EDT
Statement:

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5. This is not currently planned to be addressed in future updates of the product due to its life cycle. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG-2. Future updates for the respective releases may address this issue.
Comment 7 Fedora Update System 2017-10-24 01:27:10 EDT
kernel-4.13.8-300.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2017-10-25 17:19:02 EDT
kernel-4.13.8-100.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2017-10-25 19:12:10 EDT
kernel-4.13.8-200.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 errata-xmlrpc 2018-04-10 01:04:34 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0654 https://access.redhat.com/errata/RHSA-2018:0654
Comment 11 errata-xmlrpc 2018-04-10 04:07:45 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0676 https://access.redhat.com/errata/RHSA-2018:0676
Comment 12 errata-xmlrpc 2018-04-10 05:31:22 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1062 https://access.redhat.com/errata/RHSA-2018:1062
Comment 13 errata-xmlrpc 2018-06-19 00:47:41 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:1854 https://access.redhat.com/errata/RHSA-2018:1854

Note You need to log in before you can comment on or make changes to this bug.