Bugzilla – Bug 1062568
VUL-0: CVE-2017-12190: kernel: memory leak when merging buffers in SCSI IO vectors
Last modified: 2022-03-04 20:13:54 UTC
rh#1495089 bio_map_user_iov and bio_unmap_user do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page merges them into one, but the page reference is never dropped, causing memory leak. Proposed patch: https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1495884.html Reproducer: https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1495887.html References: https://bugzilla.redhat.com/show_bug.cgi?id=1495089 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12190 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12190
http://seclists.org/oss-sec/2017/q4/52 Vitaly Mayatskikh has found that bio_map_user_iov() and bio_unmap_user() in 'block/bio.c' do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page() merges them into one, but the page reference is never dropped, causing memory leak. Regarding security affect, the flaw is somewhat useless for an attacker on a local system as it requires SCSI disk to be present, root privileges or RAWIO caps, but this can be quickly turned into a meaningful attack if a SCSI disk is passed through to a virtual machine. An attacker can issue absolutely legit SCSI read/write commands to a disk in his VM, that will make VM's memory pages used for IO to be extra refcounted. Then attacker can power down a VM and the memory will be definitely lost. Few exploit runs with power cycles in between, and the whole host can get OOM.
patches.kernel.org/4.4.93-022-fix-unbalanced-page-refcounting-in-bio_map_use.patch
Pushed to: - cve/linux-3.12 - cve/linux-3.0 - cve/linux-2.6.32 - cve/linux-2.6.16 - SLE15 Not needed in: - SLE12-SP2 (already present) - SLE12-SP3 (already present) master/stable already moved beyond v4.14-rc5. Assigning back to security team.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2018-03-26. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63995
SUSE-SU-2018:0834-1: An update that solves 19 vulnerabilities and has 12 fixes is now available. Category: security (important) Bug References: 1010470,1012382,1045330,1062568,1063416,1066001,1067118,1068032,1072689,1072865,1074488,1075617,1075621,1077560,1078669,1078672,1078673,1078674,1080255,1080464,1080757,1082299,1083244,1083483,1083494,1083640,1084323,1085107,1085114,1085279,1085447 CVE References: CVE-2016-7915,CVE-2017-12190,CVE-2017-13166,CVE-2017-15299,CVE-2017-16644,CVE-2017-16911,CVE-2017-16912,CVE-2017-16913,CVE-2017-16914,CVE-2017-18017,CVE-2017-18204,CVE-2017-18208,CVE-2017-18221,CVE-2018-1066,CVE-2018-1068,CVE-2018-5332,CVE-2018-5333,CVE-2018-6927,CVE-2018-7566 Sources used: SUSE Linux Enterprise Server 12-LTSS (src): kernel-default-3.12.61-52.125.1, kernel-source-3.12.61-52.125.1, kernel-syms-3.12.61-52.125.1, kernel-xen-3.12.61-52.125.1, kgraft-patch-SLE12_Update_33-1-1.3.1 SUSE Linux Enterprise Module for Public Cloud 12 (src): kernel-ec2-3.12.61-52.125.1
SUSE-SU-2018:0848-1: An update that solves 19 vulnerabilities and has 16 fixes is now available. Category: security (important) Bug References: 1010470,1012382,1045330,1055755,1062568,1063416,1066001,1067118,1068032,1072689,1072865,1074488,1075617,1075621,1077182,1077560,1077779,1078669,1078672,1078673,1078674,1080255,1080287,1080464,1080757,1081512,1082299,1083244,1083483,1083494,1083640,1084323,1085107,1085114,1085447 CVE References: CVE-2016-7915,CVE-2017-12190,CVE-2017-13166,CVE-2017-15299,CVE-2017-16644,CVE-2017-16911,CVE-2017-16912,CVE-2017-16913,CVE-2017-16914,CVE-2017-18017,CVE-2017-18204,CVE-2017-18208,CVE-2017-18221,CVE-2018-1066,CVE-2018-1068,CVE-2018-5332,CVE-2018-5333,CVE-2018-6927,CVE-2018-7566 Sources used: SUSE OpenStack Cloud 6 (src): kernel-default-3.12.74-60.64.85.1, kernel-source-3.12.74-60.64.85.1, kernel-syms-3.12.74-60.64.85.1, kernel-xen-3.12.74-60.64.85.1, kgraft-patch-SLE12-SP1_Update_26-1-2.3.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): kernel-default-3.12.74-60.64.85.1, kernel-source-3.12.74-60.64.85.1, kernel-syms-3.12.74-60.64.85.1, kernel-xen-3.12.74-60.64.85.1, kgraft-patch-SLE12-SP1_Update_26-1-2.3.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): kernel-default-3.12.74-60.64.85.1, kernel-source-3.12.74-60.64.85.1, kernel-syms-3.12.74-60.64.85.1, kernel-xen-3.12.74-60.64.85.1, kgraft-patch-SLE12-SP1_Update_26-1-2.3.1 SUSE Linux Enterprise Module for Public Cloud 12 (src): kernel-ec2-3.12.74-60.64.85.1
SUSE-SU-2018:1080-1: An update that solves 18 vulnerabilities and has 29 fixes is now available. Category: security (important) Bug References: 1010470,1013018,1039348,1052943,1062568,1062840,1063416,1063516,1065600,1065999,1067118,1067912,1068032,1072689,1072865,1075088,1075091,1075994,1078669,1078672,1078673,1078674,1080464,1080757,1080813,1081358,1082091,1082424,1083242,1083275,1083483,1083494,1084536,1085113,1085279,1085331,1085513,1086162,1087092,1087260,1087762,1088147,1088260,1089608,909077,940776,943786 CVE References: CVE-2015-5156,CVE-2016-7915,CVE-2017-0861,CVE-2017-12190,CVE-2017-13166,CVE-2017-16644,CVE-2017-16911,CVE-2017-16912,CVE-2017-16913,CVE-2017-16914,CVE-2017-18203,CVE-2017-18208,CVE-2017-5715,CVE-2018-10087,CVE-2018-6927,CVE-2018-7566,CVE-2018-7757,CVE-2018-8822 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): kernel-docs-3.0.101-108.38.1 SUSE Linux Enterprise Server 11-SP4 (src): kernel-bigmem-3.0.101-108.38.1, kernel-default-3.0.101-108.38.1, kernel-ec2-3.0.101-108.38.1, kernel-pae-3.0.101-108.38.1, kernel-ppc64-3.0.101-108.38.1, kernel-source-3.0.101-108.38.1, kernel-syms-3.0.101-108.38.1, kernel-trace-3.0.101-108.38.1, kernel-xen-3.0.101-108.38.1 SUSE Linux Enterprise Server 11-EXTRA (src): kernel-default-3.0.101-108.38.1, kernel-pae-3.0.101-108.38.1, kernel-ppc64-3.0.101-108.38.1, kernel-trace-3.0.101-108.38.1, kernel-xen-3.0.101-108.38.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): kernel-bigmem-3.0.101-108.38.1, kernel-default-3.0.101-108.38.1, kernel-ec2-3.0.101-108.38.1, kernel-pae-3.0.101-108.38.1, kernel-ppc64-3.0.101-108.38.1, kernel-trace-3.0.101-108.38.1, kernel-xen-3.0.101-108.38.1
SUSE-SU-2018:1172-1: An update that solves 20 vulnerabilities and has 11 fixes is now available. Category: security (important) Bug References: 1010470,1039348,1052943,1062568,1062840,1063416,1067118,1072689,1072865,1078669,1078672,1078673,1078674,1080464,1080757,1082424,1083242,1083483,1083494,1084536,1085331,1086162,1087088,1087209,1087260,1087762,1088147,1088260,1089608,1089752,940776 CVE References: CVE-2015-5156,CVE-2016-7915,CVE-2017-0861,CVE-2017-12190,CVE-2017-13166,CVE-2017-16644,CVE-2017-16911,CVE-2017-16912,CVE-2017-16913,CVE-2017-16914,CVE-2017-18203,CVE-2017-18208,CVE-2018-10087,CVE-2018-10124,CVE-2018-1087,CVE-2018-6927,CVE-2018-7566,CVE-2018-7757,CVE-2018-8822,CVE-2018-8897 Sources used: SUSE Linux Enterprise Server 11-SP3-LTSS (src): kernel-bigsmp-3.0.101-0.47.106.22.1, kernel-default-3.0.101-0.47.106.22.1, kernel-ec2-3.0.101-0.47.106.22.1, kernel-pae-3.0.101-0.47.106.22.1, kernel-source-3.0.101-0.47.106.22.1, kernel-syms-3.0.101-0.47.106.22.1, kernel-trace-3.0.101-0.47.106.22.1, kernel-xen-3.0.101-0.47.106.22.1 SUSE Linux Enterprise Server 11-EXTRA (src): kernel-bigsmp-3.0.101-0.47.106.22.1, kernel-default-3.0.101-0.47.106.22.1, kernel-pae-3.0.101-0.47.106.22.1, kernel-ppc64-3.0.101-0.47.106.22.1, kernel-trace-3.0.101-0.47.106.22.1, kernel-xen-3.0.101-0.47.106.22.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): kernel-default-3.0.101-0.47.106.22.1, kernel-ec2-3.0.101-0.47.106.22.1, kernel-pae-3.0.101-0.47.106.22.1, kernel-source-3.0.101-0.47.106.22.1, kernel-syms-3.0.101-0.47.106.22.1, kernel-trace-3.0.101-0.47.106.22.1, kernel-xen-3.0.101-0.47.106.22.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): kernel-bigsmp-3.0.101-0.47.106.22.1, kernel-default-3.0.101-0.47.106.22.1, kernel-ec2-3.0.101-0.47.106.22.1, kernel-pae-3.0.101-0.47.106.22.1, kernel-trace-3.0.101-0.47.106.22.1, kernel-xen-3.0.101-0.47.106.22.1
done
SUSE-SU-2018:1309-1: An update that solves 18 vulnerabilities and has 36 fixes is now available. Category: security (important) Bug References: 1010470,1013018,1032084,1039348,1050431,1052943,1062568,1062840,1063416,1063516,1065600,1065999,1067118,1067912,1068032,1072689,1072865,1075088,1075091,1075994,1078669,1078672,1078673,1078674,1080464,1080757,1080813,1081358,1082091,1082424,1083242,1083275,1083483,1083494,1084536,1085113,1085279,1085331,1085513,1086162,1087092,1087209,1087260,1087762,1088147,1088260,1089608,1089665,1089668,1089752,909077,940776,943786,951638 CVE References: CVE-2015-5156,CVE-2016-7915,CVE-2017-0861,CVE-2017-12190,CVE-2017-13166,CVE-2017-16644,CVE-2017-16911,CVE-2017-16912,CVE-2017-16913,CVE-2017-16914,CVE-2017-18203,CVE-2017-18208,CVE-2018-10087,CVE-2018-10124,CVE-2018-6927,CVE-2018-7566,CVE-2018-7757,CVE-2018-8822 Sources used: SUSE Linux Enterprise Real Time Extension 11-SP4 (src): kernel-rt-3.0.101.rt130-69.24.1, kernel-rt_trace-3.0.101.rt130-69.24.1, kernel-source-rt-3.0.101.rt130-69.24.1, kernel-syms-rt-3.0.101.rt130-69.24.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): kernel-rt-3.0.101.rt130-69.24.1, kernel-rt_debug-3.0.101.rt130-69.24.1, kernel-rt_trace-3.0.101.rt130-69.24.1