Bug 1353533 (CVE-2016-6136)

Summary: CVE-2016-6136 kernel: Race condition vulnerability in execve argv arguments
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aquini, arm-mgr, bhu, dhoward, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, joelsmith, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, kstutsma, lgoncalv, madhu.chinakonda, matt, mchehab, mcressma, nmurray, plougher, rbriggs, rt-maint, rvrbovsk, security-response-team, slawomir, vdronov, williams, wmealing, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
When creating audit records for parameters to executed children processes, an attacker can convince the Linux kernel audit subsystem can create corrupt records which may allow an attacker to misrepresent or evade logging of executing commands.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:56:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1353534, 1359302, 1359304, 1359305, 1359306, 1359307, 1359308, 1376279, 1376280, 1376281    
Bug Blocks: 1353535    

Description Andrej Nemec 2016-07-07 11:56:37 UTC 
In function audit_log_single_execve_arg(), the whole argument is fetched from user space twice via copy_from_user(). In the first loop, it is firstly fetched (line 1038) to verify, aka looking for non-ascii chars. While in the second loop, the whole argument is fetched again (line 1105) from user space and used at line 1121 and line 1123 respectively depends on the previous verification.

Upstream bug:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6136
https://bugzilla.kernel.org/show_bug.cgi?id=120681
https://github.com/linux-audit/audit-kernel/issues/18
https://www.redhat.com/archives/linux-audit/2016-June/msg00029.html

Upstream patch:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=43761473c254b45883a64441dd0bc85a42f3645c
Comment 1 Andrej Nemec 2016-07-07 11:57:34 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1353534]
Comment 2 Josh Boyer 2016-07-07 12:17:05 UTC 
(In reply to Andrej Nemec from comment #0)
> Upstream patch:
> 
> https://github.com/linux-audit/audit-kernel/issues/18

I don't actually see a patch there.  That's an issue, which is the equivalent of this bug.

Paul, I'm guessing a patch is in the works?
Comment 3 Andrej Nemec 2016-07-07 12:26:12 UTC 
(In reply to Josh Boyer from comment #2)
> (In reply to Andrej Nemec from comment #0)
> > Upstream patch:
> > 
> > https://github.com/linux-audit/audit-kernel/issues/18
> 
> I don't actually see a patch there.  That's an issue, which is the
> equivalent of this bug.
> 
> Paul, I'm guessing a patch is in the works?

My bad, that should have been listed as an upstream issue. I checked git and this particular patch is not there yet imo.
Comment 4 Paul Moore 2016-07-07 13:39:38 UTC 
(In reply to Josh Boyer from comment #2)
> Paul, I'm guessing a patch is in the works?

It is on my radar but I haven't gotten to it yet.  Now that there is a CVE for it, I'll bump it up in terms of priority; I'll take a closer look at it later this afternoon.
Comment 15 Fedora Update System 2016-08-08 20:24:37 UTC 
kernel-4.6.5-300.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2016-08-08 23:51:52 UTC 
kernel-4.6.5-200.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 17 Wade Mealing 2016-08-10 02:18:08 UTC 
Statement:

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6 and 7. This has been rated as having Moderate security impact and is  planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 and MRG-2. Future Linux kernel updates for the respective releases may address this issue.
Comment 23 errata-xmlrpc 2016-11-03 17:04:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html
Comment 24 errata-xmlrpc 2016-11-03 19:54:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html
Comment 25 errata-xmlrpc 2016-11-03 21:36:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html
Comment 26 errata-xmlrpc 2016-11-03 21:44:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html
Comment 27 errata-xmlrpc 2017-02-23 17:39:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0307 https://rhn.redhat.com/errata/RHSA-2017-0307.html