Bug 1589324 (CVE-2018-1000204) - CVE-2018-1000204 kernel: Infoleak caused by incorrect handling of the SG_IO ioctl
Summary: CVE-2018-1000204 kernel: Infoleak caused by incorrect handling of the SG_IO i...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-1000204
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1589688 1592371
Blocks: 1589326
TreeView+ depends on / blocked
 
Reported: 2018-06-08 17:12 UTC by Pedro Sampaio
Modified: 2021-02-17 00:08 UTC (History)
44 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:28:30 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2948 0 None None None 2018-10-30 09:02:19 UTC

Description Pedro Sampaio 2018-06-08 17:12:29 UTC 
A malformed SG_IO ioctl issued for a SCSI device in the Linux kernel leads to a local kernel data leak manifesting in up to approx. 1000 memory pages copied to the userspace. The problem has limited scope, as non-privileged users usually have no permissions to access SCSI device files.

References:

http://seclists.org/oss-sec/2018/q2/168

An upstream patch:

http://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a45b599ad808c3c982fdcdc12b0b8611c2f92824

http://marc.info/?l=linux-scsi&m=152933023515279&w=2 (suggested but not approved at the time of this writing)
Comment 2 Adam Mariš 2018-06-11 08:03:43 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1589688]
Comment 3 Justin M. Forbes 2018-06-11 13:16:22 UTC 
This was fixed for Fedora with the 4.16.12 stable updates.
Comment 7 Jeff Moyer 2018-06-18 13:59:31 UTC 
(In reply to Pedro Sampaio from comment #0)
> A malformed SG_IO ioctl issued for a SCSI device in the Linux kernel leads
> to a local kernel data leak manifesting in up to approx. 1000 memory pages
> copied to the userspace. The problem has limited scope, as non-privileged
> users usually have no permissions to access SCSI device files.
        ^^^^^^^

The allocation will be zeroed if the user doesn't have the right capabilities:

       if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO))
               gfp_mask |= __GFP_ZERO;

The justification for this as a security issue was that documentation guided users to chmod the sg device to be world writeable.  That isn't enough to cause a data leak.

I'd say this is not a security issue at all.  If you have CAP_SYS_ADMIN or CAP_SYS_RAWIO, it's game over already.

> http://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> ?id=a45b599ad808c3c982fdcdc12b0b8611c2f92824

And this patch was poorly done, IMO.  Here's the follow-up I sent upstream:
  http://marc.info/?l=linux-scsi&m=152933023515279&w=2
Comment 9 Vladis Dronov 2018-06-22 14:58:38 UTC 
(In reply to Jeff Moyer from comment #7)
> The justification for this as a security issue was that documentation guided
> users to chmod the sg device to be world writeable.  That isn't enough to
> cause a data leak.

Indeed, thank you Jeff for mentioning this. So a data leak is possible only when a user is granted CAP_SYS_ADMIN or CAP_SYS_RAWIO (not in the namespaces) and it is not root. Which makes an attack surface and a security impact quite small. We are going to adjust a security impact of this flaw to Low.
Comment 10 errata-xmlrpc 2018-10-30 09:01:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2948 http://access.redhat.com/errata/RHSA-2018:2948
Note You need to log in before you can comment on or make changes to this bug.