PT-2017-12394 · Linux+5 · Linux Kernel+5

Vitaly Mayatskikh

·

Published

2017-10-12

·

Updated

2023-02-12

·

CVE-2017-12190

CVSS v3.1

6.5

Medium

VectorAV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 4.13.8
Description The issue is related to unbalanced refcounting in the Linux kernel when handling SCSI I/O vectors with small consecutive buffers belonging to the same page. This occurs because the bio add pc page function merges these buffers into one, but the page reference is never dropped, leading to a memory leak. The memory leak can cause a system lockup due to an out-of-memory condition, which can be exploited by a guest OS user against the host OS if a SCSI disk is passed through to a virtual machine.
Recommendations For Linux kernel versions prior to 4.13.8, update to version 4.13.8 or later to resolve the issue. As a temporary workaround, consider restricting the use of SCSI disks in virtual machines to minimize the risk of exploitation.

Fix

Missing Release of Resource after Effective Lifetime

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-772CWE-400

Related Identifiers

ALT-PU-2017-2467
ALT-PU-2018-1991
CESA-2018_1062
CESA-2018_1854
CVE-2017-12190
DLA-1200-1
MGASA-2017-0463
MGASA-2017-0466
MGASA-2017-0467
MGASA-2018-0062
MGASA-2018-0063
MGASA-2018-0064
RHSA-2018:0654
RHSA-2018:0676
RHSA-2018:1062
RHSA-2018:1854
RHSA-2018_0676
RHSA-2018_1062
RHSA-2018_1854
RHSA-2019:1170
RHSA-2019:1190
SUSE-SU-2018:0834-1
SUSE-SU-2018:0848-1
SUSE-SU-2018:1080-1
SUSE-SU-2018:1172-1
SUSE-SU-2018:1309-1
USN-3487-1
USN-3582-1
USN-3582-2
USN-3583-1
USN-3583-2

Affected Products

Alt Linux
Centos
Linux Kernel
Red Hat
Suse
Ubuntu