The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576.
Local privilege escalation is possible due to a flaw in the Linux kernel's SCSI generic (sg) implementation. This vulnerability allows attackers with local access to a /dev/sg device to potentially read and write arbitrary kernel memory, leading to system compromise or a denial-of-service condition.
Step 1: Access the /dev/sg Device: The attacker must have local access to the target system and be able to interact with a /dev/sg device. This typically requires a user account with appropriate permissions or the ability to escalate privileges to gain access to the device.
Step 2: Craft Malicious SCSI Commands: The attacker crafts a series of malicious SCSI commands. These commands are designed to exploit the vulnerability in the sg implementation.
Step 3: Send Commands to /dev/sg: The crafted SCSI commands are sent to the /dev/sg device. This is typically done using a user-space program that interacts with the device.
Step 4: Kernel Memory Corruption: The vulnerable code in the kernel processes the malicious SCSI commands. Due to the lack of proper write restrictions, the commands can overwrite kernel memory, potentially leading to a use-after-free condition.
Step 5: Exploit Execution (Read/Write/DoS): Depending on the crafted commands and the specific memory locations overwritten, the attacker can achieve different outcomes. This could include reading sensitive kernel data, writing arbitrary data to kernel memory (potentially leading to code execution), or causing a denial-of-service (DoS) by crashing the kernel.
The vulnerability stems from an incomplete fix for CVE-2016-9576. The sg implementation, specifically within block/bsg.c and drivers/scsi/sg.c, fails to properly restrict write operations when the KERNEL_DS option is enabled. This allows a user-space process with access to a /dev/sg device to craft malicious SCSI commands. These commands, due to the lack of proper bounds checking or access control, can then be used to overwrite kernel memory. The root cause is a use-after-free condition, where memory is freed and then accessed again, leading to potential code execution or system instability. The incomplete fix likely missed a specific code path or condition where the write restrictions were bypassed, allowing for the exploitation of the flaw. The vulnerability is triggered by sending crafted SCSI commands through the /dev/sg device, which then interact with the kernel's SCSI subsystem in an unsafe manner.