CVE-2018-1000204

Name of the Vulnerable Software and Affected Versions Linux Kernel versions 3.18 through 4.16

Description The Linux Kernel incorrectly handles an SG IO ioctl on /dev/sg0 with dxfer direction=SG DXFER FROM DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel heap pages to the userspace. The problem has limited scope, as users don't usually have permissions to access SCSI devices. However, some user manuals, like the Nero user manual, suggest making the devices accessible by doing chmod o+r+w /dev/sg*. Third parties dispute the relevance of this report, noting that the requirement for an attacker to have both the CAP SYS ADMIN and CAP SYS RAWIO capabilities makes it "virtually impossible to exploit."

Recommendations For Linux Kernel versions 3.18 through 4.16, consider updating to a version where this issue has been fixed upstream, as mentioned in the commit https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824. As a temporary workaround, consider restricting access to the /dev/sg0 device to minimize the risk of exploitation. Avoid using the dxfer direction=SG DXFER FROM DEV with an empty 6-byte cmdp in the SG IO ioctl on /dev/sg0 until the issue is resolved.