Vigil@nce: Linux kernel, denial of service via SG_IO
December 2008 by Vigil@nce
SYNTHESIS
A local attacker can generate a temporary denial of service in
libATA.
Gravity: 1/4
Consequences: denial of service of computer
Provenance: physical access
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 24/12/2008
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION
The libATA library manages transfers via IDE, SATA or SCSI.
The SG_IO ioctl sends command to the device. For example
(simplified):
sg_io.cmd_len = sizeof(cmd);
sg_io.cmdp = (void *)&cmd;
sg_io.timeout = 5000; /*ms*/
ioctl(fd, SG_IO, &sg_io);
To use this ioctl, the user must have access rights to /dev/sg*.
The timeout field indicates the duration before resetting the
device. Then, the reset operation can last several seconds.
An attacker with an access to /dev/sg* can therefore use a short
timeout, leading to a denial of service of several seconds. An
attacker with a physical access can also disrupt the cdrom reader
to force the timeout to expire, which creates the same effect.
CHARACTERISTICS
Identifiers: 474495, CVE-2008-5700, VIGILANCE-VUL-8356