Race condition vulnerability was found in drivers/misc/mic/vop/vop_vringh.c in the MIC VOP driver in the Linux kernel before 4.6.1. MIC VOP driver does two successive reads from user space to read a variable length data structure. Local user can obtain sensitive information form kernel memory or can cause DoS by corrupting kernel memory if the data structure changes between the two reads. Upstream patch: https://github.com/torvalds/linux/commit/9bf292bfca94694a721449e3fd752493856710f6
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1350812]
This one is slightly more complicated than it looks. The VOP driver is "new" in the 4.6 kernel only in that the functionality was moved out of the host MIC driver into a new driver entirely with commit 61e9c905df78c253752971e200f0ac6d8667dda6. Prior to that, the functionality was in the drivers/misc/mic/host/mic_virtio.c host driver, which was introduced with commit f69bcbf3b4c4 (v3.13). If you look at versions of the kernel prior to 4.6, you will see the code sequence that is fixed by the mentioned upstream patch is still in the host driver in the mic_copy_dp_entry function. That needs to be patched with a similar fix.
Created attachment 1173460 [details] Backport of commit 9bf292bfca94694a721449e3fd752493856710f6 This is a backport of the above mentioned commit that applies to linux-4.4.y and linux-4.5.y
kernel-4.6.3-300.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
kernel-4.5.7-202.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Statement: This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 4, 5, 6, 7 and Red Hat Enterprise MRG 2.