Bug 1495089 (CVE-2017-12190) - CVE-2017-12190 kernel: memory leak when merging buffers in SCSI IO vectors
Summary: CVE-2017-12190 kernel: memory leak when merging buffers in SCSI IO vectors
Status: NEW
Alias: CVE-2017-12190
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20170921,repor...
Keywords: Security
Depends On: 1503591 1503580 1503589 1503590 1503592 1503593
Blocks: 1495091
TreeView+ depends on / blocked
 
Reported: 2017-09-25 07:40 UTC by Adam Mariš
Modified: 2018-08-28 22:22 UTC (History)
50 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that in the Linux kernel through v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in 'block/bio.c' do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page() merges them into one, but the page reference is never dropped, causing a memory leak and possible system lockup due to out-of-memory condition.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0654 None None None 2018-04-10 05:05 UTC
Red Hat Product Errata RHSA-2018:0676 None None None 2018-04-10 08:08 UTC
Red Hat Product Errata RHSA-2018:1062 None None None 2018-04-10 09:31 UTC
Red Hat Product Errata RHSA-2018:1854 None None None 2018-06-19 04:48 UTC

Description Adam Mariš 2017-09-25 07:40:49 UTC
bio_map_user_iov and bio_unmap_user do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page merges them into one, but the page reference is never dropped, causing memory leak.

References:

http://seclists.org/oss-sec/2017/q4/52

https://bugzilla.suse.com/show_bug.cgi?id=1062568

Discussion:

https://marc.info/?t=150605752800001&r=1&w=2

Proposed patch and reproducer:

https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1495884.html

https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1495887.html

Related upstream commits:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=95d78c28b5a85bacbc29b8dba7c04babb9b0d467

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058

Comment 2 Vladis Dronov 2017-10-18 11:50:17 UTC
Acknowledgments:

Name: Vitaly Mayatskih

Comment 4 Vladis Dronov 2017-10-18 12:25:25 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1503580]

Comment 5 Vladis Dronov 2017-10-18 12:53:33 UTC
Statement:

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5. This is not currently planned to be addressed in future updates of the product due to its life cycle. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG-2. Future updates for the respective releases may address this issue.

Comment 7 Fedora Update System 2017-10-24 05:27:10 UTC
kernel-4.13.8-300.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2017-10-25 21:19:02 UTC
kernel-4.13.8-100.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2017-10-25 23:12:10 UTC
kernel-4.13.8-200.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 errata-xmlrpc 2018-04-10 05:04:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0654 https://access.redhat.com/errata/RHSA-2018:0654

Comment 11 errata-xmlrpc 2018-04-10 08:07:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0676 https://access.redhat.com/errata/RHSA-2018:0676

Comment 12 errata-xmlrpc 2018-04-10 09:31:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1062 https://access.redhat.com/errata/RHSA-2018:1062

Comment 13 errata-xmlrpc 2018-06-19 04:47:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:1854 https://access.redhat.com/errata/RHSA-2018:1854


Note You need to log in before you can comment on or make changes to this bug.