CVE-2016-10088
Publication date 30 December 2016
Last updated 24 July 2024
Ubuntu priority
The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576.
From the Ubuntu Security Team
It was discovered that the generic SCSI block layer in the Linux kernel did not properly restrict write operations in certain situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| linux | ||
| 16.04 LTS xenial |
Fixed 4.4.0-63.84
|
|
| 14.04 LTS trusty |
Fixed 3.13.0-125.174
|
|
| linux-armadaxp | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-aws | ||
| 16.04 LTS xenial |
Fixed 4.4.0-1003.12
|
|
| 14.04 LTS trusty |
Not affected
|
|
| linux-azure | ||
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
|
| linux-euclid | ||
| 16.04 LTS xenial | Ignored was needed ESM criteria | |
| 14.04 LTS trusty | Not in release | |
| linux-flo | ||
| 16.04 LTS xenial | Ignored abandoned | |
| 14.04 LTS trusty | Not in release | |
| linux-gcp | ||
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
| linux-gke | ||
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
| linux-goldfish | ||
| 16.04 LTS xenial | Ignored abandoned | |
| 14.04 LTS trusty | Not in release | |
| linux-grouper | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-hwe | ||
| 16.04 LTS xenial |
Fixed 4.8.0-39.42~16.04.1
|
|
| 14.04 LTS trusty | Not in release | |
| linux-hwe-edge | ||
| 16.04 LTS xenial |
Fixed 4.8.0-39.42~16.04.1
|
|
| 14.04 LTS trusty | Not in release | |
| linux-kvm | ||
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
| linux-linaro-omap | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-linaro-shared | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-linaro-vexpress | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-lts-quantal | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-lts-raring | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-lts-saucy | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-lts-trusty | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-lts-utopic | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-lts-vivid | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Ignored end of life, was needed | |
| linux-lts-wily | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-lts-xenial | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty |
Fixed 4.4.0-63.84~14.04.2
|
|
| linux-maguro | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-mako | ||
| 16.04 LTS xenial | Ignored abandoned | |
| 14.04 LTS trusty | Not in release | |
| linux-manta | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-oem | ||
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
| linux-qcm-msm | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-raspi2 | ||
| 16.04 LTS xenial |
Fixed 4.4.0-1044.51
|
|
| 14.04 LTS trusty | Not in release | |
| linux-snapdragon | ||
| 16.04 LTS xenial |
Fixed 4.4.0-1047.51
|
|
| 14.04 LTS trusty | Not in release | |
| linux-ti-omap4 | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
Notes
jdstrand
android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support
sbeattie
attack requires access to /dev/sg or other block scsi devices.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.0 · High
|
| Attack vector | Local |
| Attack complexity | High |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-3208-1
- Linux kernel vulnerabilities
- 22 February 2017
- USN-3208-2
- Linux kernel (Xenial HWE) vulnerabilities
- 22 February 2017
- USN-3209-1
- Linux kernel vulnerabilities
- 22 February 2017
- USN-3360-1
- Linux kernel vulnerabilities
- 21 July 2017
- USN-3360-2
- Linux kernel (Trusty HWE) vulnerabilities
- 21 July 2017
Other references
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=128394eff343fc6d2f32172f03e24829539c5835
- http://www.openwall.com/lists/oss-security/2016/12/30/1
- https://github.com/torvalds/linux/commit/128394eff343fc6d2f32172f03e24829539c5835
- https://www.cve.org/CVERecord?id=CVE-2016-10088