Bug 1353533 (CVE-2016-6136) - CVE-2016-6136 kernel: Race condition vulnerability in execve argv arguments
Summary: CVE-2016-6136 kernel: Race condition vulnerability in execve argv arguments
Status: NEW
Alias: CVE-2016-6136
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160704,repor...
Keywords: Security
Depends On: 1359308 1353534 1359302 1359304 1359305 1359306 1359307 1376279 1376280 1376281
Blocks: 1353535
TreeView+ depends on / blocked
 
Reported: 2016-07-07 11:56 UTC by Andrej Nemec
Modified: 2018-09-21 21:59 UTC (History)
35 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
When creating audit records for parameters to executed children processes, an attacker can convince the Linux kernel audit subsystem can create corrupt records which may allow an attacker to misrepresent or evade logging of executing commands.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2574 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2016-11-03 12:06:10 UTC
Red Hat Product Errata RHSA-2016:2584 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2016-11-03 12:08:49 UTC
Red Hat Product Errata RHSA-2017:0307 normal SHIPPED_LIVE Moderate: kernel security and bug fix update 2017-02-23 22:35:46 UTC

Description Andrej Nemec 2016-07-07 11:56:37 UTC
In function audit_log_single_execve_arg(), the whole argument is fetched from user space twice via copy_from_user(). In the first loop, it is firstly fetched (line 1038) to verify, aka looking for non-ascii chars. While in the second loop, the whole argument is fetched again (line 1105) from user space and used at line 1121 and line 1123 respectively depends on the previous verification.

Upstream bug:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6136
https://bugzilla.kernel.org/show_bug.cgi?id=120681
https://github.com/linux-audit/audit-kernel/issues/18
https://www.redhat.com/archives/linux-audit/2016-June/msg00029.html

Upstream patch:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=43761473c254b45883a64441dd0bc85a42f3645c

Comment 1 Andrej Nemec 2016-07-07 11:57:34 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1353534]

Comment 2 Josh Boyer 2016-07-07 12:17:05 UTC
(In reply to Andrej Nemec from comment #0)
> Upstream patch:
> 
> https://github.com/linux-audit/audit-kernel/issues/18

I don't actually see a patch there.  That's an issue, which is the equivalent of this bug.

Paul, I'm guessing a patch is in the works?

Comment 3 Andrej Nemec 2016-07-07 12:26:12 UTC
(In reply to Josh Boyer from comment #2)
> (In reply to Andrej Nemec from comment #0)
> > Upstream patch:
> > 
> > https://github.com/linux-audit/audit-kernel/issues/18
> 
> I don't actually see a patch there.  That's an issue, which is the
> equivalent of this bug.
> 
> Paul, I'm guessing a patch is in the works?

My bad, that should have been listed as an upstream issue. I checked git and this particular patch is not there yet imo.

Comment 4 Paul Moore 2016-07-07 13:39:38 UTC
(In reply to Josh Boyer from comment #2)
> Paul, I'm guessing a patch is in the works?

It is on my radar but I haven't gotten to it yet.  Now that there is a CVE for it, I'll bump it up in terms of priority; I'll take a closer look at it later this afternoon.

Comment 15 Fedora Update System 2016-08-08 20:24:37 UTC
kernel-4.6.5-300.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2016-08-08 23:51:52 UTC
kernel-4.6.5-200.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Wade Mealing 2016-08-10 02:18:08 UTC
Statement:

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6 and 7. This has been rated as having Moderate security impact and is  planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 and MRG-2. Future Linux kernel updates for the respective releases may address this issue.

Comment 23 errata-xmlrpc 2016-11-03 17:04:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html

Comment 24 errata-xmlrpc 2016-11-03 19:54:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html

Comment 25 errata-xmlrpc 2016-11-03 21:36:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html

Comment 26 errata-xmlrpc 2016-11-03 21:44:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html

Comment 27 errata-xmlrpc 2017-02-23 17:39:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0307 https://rhn.redhat.com/errata/RHSA-2017-0307.html


Note You need to log in before you can comment on or make changes to this bug.