Bug 1350811 (CVE-2016-5728)

Summary: CVE-2016-5728 kernel: Race condition vulnerability in VOP driver
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, aquini, arm-mgr, bhu, carnil, dhoward, esammons, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, joelsmith, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, kstutsma, lgoncalv, lwang, madhu.chinakonda, matt, mchehab, mcressma, mguzik, nmurray, pholasek, plougher, pmatouse, rt-maint, rvrbovsk, slawomir, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 4.6.1 Doc Type: If docs needed, set a value
Doc Text:
Race condition vulnerability was found in drivers/misc/mic/vop/vop_vringh.c in the MIC VOP driver in the Linux kernel before 4.6.1. MIC VOP driver does two successive reads from user space to read a variable length data structure. Local user can obtain sensitive information from kernel memory or can cause DoS by corrupting kernel memory if the data structure changes between the two reads.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-26 08:16:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1350812, 1352820    
Bug Blocks: 1350814    
Attachments:
Description Flags
Backport of commit 9bf292bfca94694a721449e3fd752493856710f6 none

Description Adam Mariš 2016-06-28 13:01:39 UTC 
Race condition vulnerability was found in drivers/misc/mic/vop/vop_vringh.c in the MIC VOP driver in the Linux kernel before 4.6.1. MIC VOP driver does two successive reads from user space to read a variable length data structure. Local user can obtain sensitive information form kernel memory or can cause DoS by corrupting kernel memory if the data structure changes between the two reads.

Upstream patch:

https://github.com/torvalds/linux/commit/9bf292bfca94694a721449e3fd752493856710f6
Comment 1 Adam Mariš 2016-06-28 13:02:22 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1350812]
Comment 2 Josh Boyer 2016-06-28 13:51:44 UTC 
This one is slightly more complicated than it looks.  The VOP driver is "new" in the 4.6 kernel only in that the functionality was moved out of the host MIC driver into a new driver entirely with commit 61e9c905df78c253752971e200f0ac6d8667dda6.  Prior to that, the functionality was in the drivers/misc/mic/host/mic_virtio.c host driver, which was introduced with commit f69bcbf3b4c4 (v3.13).

If you look at versions of the kernel prior to 4.6, you will see the code sequence that is fixed by the mentioned upstream patch is still in the host driver in the mic_copy_dp_entry function.  That needs to be patched with a similar fix.
Comment 3 Josh Boyer 2016-06-28 14:04:31 UTC 
Created attachment 1173460 [details]
Backport of commit 9bf292bfca94694a721449e3fd752493856710f6

This is a backport of the above mentioned commit that applies to linux-4.4.y and linux-4.5.y
Comment 4 Fedora Update System 2016-06-30 21:24:35 UTC 
kernel-4.6.3-300.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2016-07-02 19:25:11 UTC 
kernel-4.5.7-202.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Wade Mealing 2016-07-05 04:54:43 UTC 
Statement:

This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 4, 5, 6, 7 and Red Hat Enterprise MRG 2.