Double-fetch vulnerability was found in /drivers/platform/chrome/cros_ec_dev.c in the Chrome driver in the Linux kernel before 4.6.1.
In function ec_device_ioctl_xcmd(), the driver fetches user space data by pointer arg via copy_from_user(), and this happens twice at line 137 and line 145 respectively.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1353491]
kernel-4.6.4-201.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
kernel-4.6.4-301.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
This issue does not affect Red Hat Enterprise Linux products as they have not included this feature in any shipping products.