Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1353533 - (CVE-2016-6136) CVE-2016-6136 kernel: Race condition vulnerability in execve argv arguments
CVE-2016-6136 kernel: Race condition vulnerability in execve argv arguments
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160704,repor...
: Security
Depends On: 1359308 1353534 1359302 1359304 1359305 1359306 1359307 1376279 1376280 1376281
Blocks: 1353535
  Show dependency treegraph
 
Reported: 2016-07-07 07:56 EDT by Andrej Nemec
Modified: 2018-09-21 17:59 EDT (History)
35 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
When creating audit records for parameters to executed children processes, an attacker can convince the Linux kernel audit subsystem can create corrupt records which may allow an attacker to misrepresent or evade logging of executing commands.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2574 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2016-11-03 08:06:10 EDT
Red Hat Product Errata RHSA-2016:2584 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2016-11-03 08:08:49 EDT
Red Hat Product Errata RHSA-2017:0307 normal SHIPPED_LIVE Moderate: kernel security and bug fix update 2017-02-23 17:35:46 EST

  None (edit)
Description Andrej Nemec 2016-07-07 07:56:37 EDT
In function audit_log_single_execve_arg(), the whole argument is fetched from user space twice via copy_from_user(). In the first loop, it is firstly fetched (line 1038) to verify, aka looking for non-ascii chars. While in the second loop, the whole argument is fetched again (line 1105) from user space and used at line 1121 and line 1123 respectively depends on the previous verification.

Upstream bug:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6136
https://bugzilla.kernel.org/show_bug.cgi?id=120681
https://github.com/linux-audit/audit-kernel/issues/18
https://www.redhat.com/archives/linux-audit/2016-June/msg00029.html

Upstream patch:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=43761473c254b45883a64441dd0bc85a42f3645c
Comment 1 Andrej Nemec 2016-07-07 07:57:34 EDT
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1353534]
Comment 2 Josh Boyer 2016-07-07 08:17:05 EDT
(In reply to Andrej Nemec from comment #0)
> Upstream patch:
> 
> https://github.com/linux-audit/audit-kernel/issues/18

I don't actually see a patch there.  That's an issue, which is the equivalent of this bug.

Paul, I'm guessing a patch is in the works?
Comment 3 Andrej Nemec 2016-07-07 08:26:12 EDT
(In reply to Josh Boyer from comment #2)
> (In reply to Andrej Nemec from comment #0)
> > Upstream patch:
> > 
> > https://github.com/linux-audit/audit-kernel/issues/18
> 
> I don't actually see a patch there.  That's an issue, which is the
> equivalent of this bug.
> 
> Paul, I'm guessing a patch is in the works?

My bad, that should have been listed as an upstream issue. I checked git and this particular patch is not there yet imo.
Comment 4 Paul Moore 2016-07-07 09:39:38 EDT
(In reply to Josh Boyer from comment #2)
> Paul, I'm guessing a patch is in the works?

It is on my radar but I haven't gotten to it yet.  Now that there is a CVE for it, I'll bump it up in terms of priority; I'll take a closer look at it later this afternoon.
Comment 15 Fedora Update System 2016-08-08 16:24:37 EDT
kernel-4.6.5-300.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2016-08-08 19:51:52 EDT
kernel-4.6.5-200.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 17 Wade Mealing 2016-08-09 22:18:08 EDT
Statement:

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6 and 7. This has been rated as having Moderate security impact and is  planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 and MRG-2. Future Linux kernel updates for the respective releases may address this issue.
Comment 23 errata-xmlrpc 2016-11-03 13:04:34 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html
Comment 24 errata-xmlrpc 2016-11-03 15:54:16 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html
Comment 25 errata-xmlrpc 2016-11-03 17:36:38 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html
Comment 26 errata-xmlrpc 2016-11-03 17:44:17 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html
Comment 27 errata-xmlrpc 2017-02-23 12:39:44 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0307 https://rhn.redhat.com/errata/RHSA-2017-0307.html

Note You need to log in before you can comment on or make changes to this bug.