Vigil@nce - Linux kernel: integer overflow of SCSI sg_start_req
October 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can generate an integer overflow in the SCSI
driver of the Linux kernel, in order to trigger a denial of
service, and possibly to run code.
– Impacted products: Debian, Linux, SUSE Linux Enterprise Desktop,
SLES, Ubuntu.
– Severity: 2/4.
– Creation date: 03/08/2015.
DESCRIPTION OF THE VULNERABILITY
The drivers/scsi/sg.c file of the Linux kernel implements the
generic driver for SCSI.
However, if iov_count is too large, a multiplication overflows in
the sg_start_req() function, and an allocated memory area is too
short.
A local attacker can therefore generate an integer overflow in the
SCSI driver of the Linux kernel, in order to trigger a denial of
service, and possibly to run code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-integer-overflow-of-SCSI-sg-start-req-17576