Double-fetch vulnerability was found in /drivers/platform/chrome/cros_ec_dev.c in the Chrome driver in the Linux kernel before 4.6.1. In function ec_device_ioctl_xcmd(), the driver fetches user space data by pointer arg via copy_from_user(), and this happens twice at line 137 and line 145 respectively. Upstream bug: https://bugzilla.kernel.org/show_bug.cgi?id=120131 Upstream patch: https://github.com/torvalds/linux/commit/096cdc6f52225835ff503f987a0d68ef770bb78e Bugtraq post: http://seclists.org/bugtraq/2016/Jul/20
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1353491]
kernel-4.6.4-201.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
kernel-4.6.4-301.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Statement: This issue does not affect Red Hat Enterprise Linux products as they have not included this feature in any shipping products.