Bugzilla – Bug 991604
VUL-0: CVE-2016-6516: kernel: >= 4.5 double fetch leading to heap overflow
Last modified: 2016-08-03 12:45:36 UTC
Quoting from OSS-sec: Good afternoon, For Mitre: Some code was moved from btrfs to the generic vfs ioctl: (https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/fs/ioctl.c?h=v4.5&id=54dbc15172375641ef03399e8f911d7165eb90fb). During the port a double fetch with userland was introduced which can lead to an undersized allocation and subsequent heap overflow with potentially controlled data. It has been patched in upstream here: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=10eec60ce79187686e052092e5383c99b4420a20 For OSS-sec: attached is a PoC. I attempted to write an exploit for this but that's not really my forte. I feel like this bug has the potential for a workable user->root exploit but I couldn't do it. 1: You can control which cache the overflow happens on. I picked the same cache as the File struct. 2: the code writes 2 different width zeros past the allocation, one 32 bit and the other 64 bit. 3: I attempted to overflow and write the 32 bit 0 to the top half of a pointer so it would point to userland, but I couldn't find a suitable structure to overflow into. So if anyone plays around with this and gets a workable exploit please share the details as I'm looking to expand my exploitation knowledge, and techniques. Thank you, --Scott CVE-2016-6516 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6516 http://seclists.org/oss-sec/2016/q3/220
Looks like we dont ship kernels >= 4.5 (on SLE at least)
I backported to master branch, and stable branch will merge it. It hits only TW (4.5 or newer kernel), so no other fixes needed. Reassigned back to security team.
closeing