Is this /dev/sg security hole from 2.2.* already fixed?

Dr. Michael Weller (eowmob@exp-math.uni-essen.de)
Thu, 4 Apr 2002 00:21:58 +0200 (MESZ)


Sorry,

I probably should just check myself in recent 2.4.* kernels, but I don't
have one at hand on an SCSI capable machine.

Playing around with generic scsi on my 2.2.18 SCSI based Intel machine, I
noticed that if one reads a large allocated SCSI reply packet from the
/dev/sg device, but the physical scsi device did only use part of the
allocated reply space, then the remaining, unused bytes of the reply
packet are not initialized.

Typically they seem to contain data from other files (some no longer used
diskbuffers or so) [in my case: C-source of the same program].

In case of several accesses to /dev/sg device (same process or same
program run anew on a different /dev/sg device) the remaining bytes
often contained data of previously issued, longer generic scsi
transactions.

Esp. since AFAIK /dev/sg can be used by non-root users (given write access
to /dev/sg) and other peoples data might pop up in the uninitialized reply
packet, I consider this an (albeit difficult to exploit) security hole.

I assume such a simple problem must have been detected and solved already,
but I can't get a specific answer from any search machine or list archive.

Can someone please comment or try on recent kernels?

THX,
Michael.

--

Michael Weller: eowmob@exp-math.uni-essen.de, eowmob@ms.exp-math.uni-essen.de, or even mat42b@spi.power.uni-essen.de. If you encounter an eowmob account on any machine in the net, it's very likely it's me.

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/