Bug 1353490 (CVE-2016-6156)

Summary: CVE-2016-6156 kernel: Race condition vulnerability in Chrome driver
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aquini, bhu, carnil, dhoward, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, joelsmith, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, kstutsma, lgoncalv, madhu.chinakonda, mchehab, mcressma, nmurray, rt-maint, rvrbovsk, slawomir, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A timing flaw was found in the Chrome EC driver in the Linux kernel. An attacker could abuse timing to skip validation checks to copy additional data from userspace possibly increasing privilege or crashing the system.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 00:53:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1353491, 1362383, 1362384    
Bug Blocks: 1353492    

Description Andrej Nemec 2016-07-07 09:26:00 UTC
Double-fetch vulnerability was found in /drivers/platform/chrome/cros_ec_dev.c in the Chrome driver in the Linux kernel before 4.6.1.

In function ec_device_ioctl_xcmd(), the driver fetches user space data by pointer arg via copy_from_user(), and this happens twice at line 137 and line 145 respectively.

Upstream bug:

https://bugzilla.kernel.org/show_bug.cgi?id=120131

Upstream patch:

https://github.com/torvalds/linux/commit/096cdc6f52225835ff503f987a0d68ef770bb78e

Bugtraq post:
http://seclists.org/bugtraq/2016/Jul/20

Comment 1 Andrej Nemec 2016-07-07 09:26:51 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1353491]

Comment 2 Fedora Update System 2016-07-19 22:19:40 UTC
kernel-4.6.4-201.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 3 Fedora Update System 2016-07-20 00:22:19 UTC
kernel-4.6.4-301.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 4 Wade Mealing 2016-08-01 10:01:16 UTC
Statement:

This issue does not affect Red Hat Enterprise Linux products as they have not included this feature in any shipping products.