Bug 988025 (CVE-2016-6156) - VUL-1: CVE-2016-6156: kernel-source: race condition vulnerability in Chrome driver
Summary: VUL-1: CVE-2016-6156: kernel-source: race condition vulnerability in Chrome d...
Status: RESOLVED WORKSFORME
Alias: CVE-2016-6156
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 42.1
: P5 - None : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/170669/
Whiteboard: CVSSv2:SUSE:CVE-2016-6156:3.3:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-07-07 10:59 UTC by Andreas Stieger
Modified: 2016-07-07 13:20 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-07-07 10:59:16 UTC 
Double-fetch vulnerability was found in /drivers/platform/chrome/cros_ec_dev.c in the Chrome driver in the Linux kernel before 4.6.1.

In function ec_device_ioctl_xcmd(), the driver fetches user space data by pointer arg via copy_from_user(), and this happens twice at line 137 and line 145 respectively.

Upstream bug:

https://bugzilla.kernel.org/show_bug.cgi?id=120131

Upstream patch:

https://github.com/torvalds/linux/commit/096cdc6f52225835ff503f987a0d68ef770bb78e

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1353490
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6156
Comment 1 Andreas Stieger 2016-07-07 11:02:57 UTC 
Looks like this only affects 4.1 (file introduced) and 4.2 (https://github.com/torvalds/linux/commit/a841178445bb72a3d566b4e6ab9d19e9b002eb47) and up.
Comment 2 Takashi Iwai 2016-07-07 13:17:57 UTC 
The 4.1.x kernel doesn't contain the relevant buggy code, so this doesn't affect Leap 42.1 kernel, either.  That is, all our kernels are fine.

I reassign back to security team.  Feel free to close.
Comment 3 Andreas Stieger 2016-07-07 13:20:26 UTC 
Thanks