Bug 988708 – VUL-0: CVE-2016-6197,CVE-2016-6198: kernel-source: local DoS / crash using rename syscall on overlayfs on top of xfs

Bug 988708 - (CVE-2016-6197) VUL-0: CVE-2016-6197,CVE-2016-6198: kernel-source: local DoS / crash using rename syscall on overlayfs on top of xfs

(CVE-2016-6197)
Summary:	VUL-0: CVE-2016-6197,CVE-2016-6198: kernel-source: local DoS / crash using re...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/170728/
Whiteboard:	CVSSv2:SUSE:CVE-2016-6197:4.9:(AV:L/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-07-13 09:29 UTC by Andreas Stieger
Modified:	2020-06-16 22:06 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2016-07-13 09:29:10 UTC

From http://seclists.org/oss-sec/2016/q3/42

    An unprivileged user could run an exploit using rename syscall on
    overlayfs on top of xfs to crash the kernel caused a denial of
    service.

    Exploit:
    https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/rename/rename13.c

    Patch can be found here with more in depth description


As far as we can tell, there are circumstances in which each of the
two parts of the patch could be relevant, and thus we are assigning
two CVE IDs.


    https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=11f3710417d026ea2f4fcf362d866342c5274185


This patch is present in 4.6 but not in 4.5.5.

Use CVE-2016-6197.


    https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=54d5ca871e72f2bb172ec9323497f01cd5091ec7
    https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9409e22acdfc9153f88d9b1ed2bd2a5b34d2d3ca


These patches are present in both 4.6 and 4.5.5.
(https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.5 lists
them.)

Use CVE-2016-6198.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6197
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6198
http://seclists.org/oss-sec/2016/q3/42

Comment 1 Takashi Iwai 2016-07-13 09:41:08 UTC

- TW: 4.6.x => OK
- SLE12-SP2 / openSUSE-42.2: 4.4.11 already contains the fix

Comment 2 Takashi Iwai 2016-07-13 09:48:41 UTC

> - SLE12-SP2 / openSUSE-42.2: 4.4.11 already contains the fix

I meant only about the latter two fixes:
54d5ca871e72f2bb172ec9323497f01cd5091ec7
9409e22acdfc9153f88d9b1ed2bd2a5b34d2d3ca

The former fix isn't included in SLE12-SP2
11f3710417d026ea2f4fcf362d866342c5274185

Comment 3 Goldwyn Rodrigues 2016-07-13 12:13:53 UTC

Thanks for the analysis so far. I will take over from here.

Comment 4 Swamp Workflow Management 2016-07-13 22:00:25 UTC

bugbot adjusting priority

Comment 5 Goldwyn Rodrigues 2016-07-20 15:45:27 UTC

Reassigning to security team after patches submitted.

Comment 6 Marcus Meissner 2017-03-02 11:04:08 UTC

patches.kernel.org/patch-4.4.15-16 has 11f3710417d026ea2f4fcf362d866342c5274185

Comment 7 Marcus Meissner 2017-03-02 11:05:23 UTC

overlayfs is new in SLES 12 SP2, so no older versions affected.

fixed before shipping sles 12 sp2.