Bug 988708 - (CVE-2016-6197) VUL-0: CVE-2016-6197,CVE-2016-6198: kernel-source: local DoS / crash using rename syscall on overlayfs on top of xfs
(CVE-2016-6197)
VUL-0: CVE-2016-6197,CVE-2016-6198: kernel-source: local DoS / crash using re...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/170728/
CVSSv2:SUSE:CVE-2016-6197:4.9:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-07-13 09:29 UTC by Andreas Stieger
Modified: 2020-06-16 22:06 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-07-13 09:29:10 UTC
From http://seclists.org/oss-sec/2016/q3/42

    An unprivileged user could run an exploit using rename syscall on
    overlayfs on top of xfs to crash the kernel caused a denial of
    service.

    Exploit:
    https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/rename/rename13.c

    Patch can be found here with more in depth description


As far as we can tell, there are circumstances in which each of the
two parts of the patch could be relevant, and thus we are assigning
two CVE IDs.


    https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=11f3710417d026ea2f4fcf362d866342c5274185


This patch is present in 4.6 but not in 4.5.5.

Use CVE-2016-6197.


    https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=54d5ca871e72f2bb172ec9323497f01cd5091ec7
    https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9409e22acdfc9153f88d9b1ed2bd2a5b34d2d3ca


These patches are present in both 4.6 and 4.5.5.
(https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.5 lists
them.)

Use CVE-2016-6198.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6197
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6198
http://seclists.org/oss-sec/2016/q3/42
Comment 1 Takashi Iwai 2016-07-13 09:41:08 UTC
- TW: 4.6.x => OK
- SLE12-SP2 / openSUSE-42.2: 4.4.11 already contains the fix
Comment 2 Takashi Iwai 2016-07-13 09:48:41 UTC
> - SLE12-SP2 / openSUSE-42.2: 4.4.11 already contains the fix

I meant only about the latter two fixes:
54d5ca871e72f2bb172ec9323497f01cd5091ec7
9409e22acdfc9153f88d9b1ed2bd2a5b34d2d3ca

The former fix isn't included in SLE12-SP2
11f3710417d026ea2f4fcf362d866342c5274185
Comment 3 Goldwyn Rodrigues 2016-07-13 12:13:53 UTC
Thanks for the analysis so far. I will take over from here.
Comment 4 Swamp Workflow Management 2016-07-13 22:00:25 UTC
bugbot adjusting priority
Comment 5 Goldwyn Rodrigues 2016-07-20 15:45:27 UTC
Reassigning to security team after patches submitted.
Comment 6 Marcus Meissner 2017-03-02 11:04:08 UTC
patches.kernel.org/patch-4.4.15-16 has 11f3710417d026ea2f4fcf362d866342c5274185
Comment 7 Marcus Meissner 2017-03-02 11:05:23 UTC
overlayfs is new in SLES 12 SP2, so no older versions affected.

fixed before shipping sles 12 sp2.