CVE-2017-12190

kernel: memory leak when merging buffers in SCSI IO vectors

Severity Score

6.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition.

Las funciones bio_map_user_iov y bio_unmap_user en block/bio.c en el kernel de Linux en versiones anteriores a la 4.13.8 realizan un refcount no equilibrado cuando un vector SCSI I/O tiene búferes pequeños consecutivos que pertenecen a la misma página. La función bio_add_pc_page los combina en uno solo, pero la referencia de la página nunca se anula. Esto provoca una fuga de memoria y un posible bloqueo del sistema (explotable contra el host del sistema operativo por un usuario invitado del sistema operativo, si se pasa un disco SCSI a una máquina virtual) debido a una condición de falta de memoria.

It was found that in the Linux kernel through v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in 'block/bio.c' do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page() merges them into one, but the page reference is never dropped, causing a memory leak and possible system lockup due to out-of-memory condition.

It was discovered that an out-of-bounds write vulnerability existed in the Flash-Friendly File System in the Linux kernel. An attacker could construct a malicious file system that, when mounted, could cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Various other issues were also addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-08-01 CVE Reserved
2017-11-22 CVE Published
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-772: Missing Release of Resource after Effective Lifetime

CAPEC

References (21)

URL	Tag	Source
http://seclists.org/oss-sec/2017/q4/52	Issue Tracking
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.8	Issue Tracking
http://www.securityfocus.com/bid/101911	Issue Tracking
https://lists.debian.org/debian-lts-announce/2017/12/msg00004.html	Mailing List
https://support.f5.com/csp/article/K93472064?utm_source=f5support&amp%3Butm_medium=RSS	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058	2023-02-12
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=95d78c28b5a85bacbc29b8dba7c04babb9b0d467	2023-02-12
https://bugzilla.redhat.com/show_bug.cgi?id=1495089	2019-05-14
https://github.com/torvalds/linux/commit/2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058	2023-02-12
https://github.com/torvalds/linux/commit/95d78c28b5a85bacbc29b8dba7c04babb9b0d467	2023-02-12

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2018:0654	2023-02-12
https://access.redhat.com/errata/RHSA-2018:0676	2023-02-12
https://access.redhat.com/errata/RHSA-2018:1062	2023-02-12
https://access.redhat.com/errata/RHSA-2018:1854	2023-02-12
https://access.redhat.com/errata/RHSA-2019:1170	2023-02-12
https://access.redhat.com/errata/RHSA-2019:1190	2023-02-12
https://usn.ubuntu.com/3582-1	2023-02-12
https://usn.ubuntu.com/3582-2	2023-02-12
https://usn.ubuntu.com/3583-1	2023-02-12
https://usn.ubuntu.com/3583-2	2023-02-12
https://access.redhat.com/security/cve/CVE-2017-12190	2019-05-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				<= 4.13.7 Search vendor "Linux" for product "Linux Kernel" and version " <= 4.13.7"		-		Affected