ID

VAR-201606-0329

CVE

CVE-2016-5829

TITLE

Linux Kernel of drivers/hid/usbhid/hiddev.c of hiddev_ioctl_usage Heap-based buffer overflow vulnerability in functions

DESCRIPTION

Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call. The Linux kernel is prone to a local heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Local attackers may exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely crash the kernel, denying service to legitimate users. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2016:2006-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2006.html Issue date: 2016-10-04 CVE Names: CVE-2016-4470 CVE-2016-5829 ===================================================================== 1. Summary: An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - noarch, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * A flaw was found in the Linux kernel's keyring handling code, where in key_reject_and_link() an uninitialized variable would eventually lead to arbitrary free address which could allow attacker to use a use-after-free style attack. (CVE-2016-4470, Important) * A heap-based buffer overflow vulnerability was found in the Linux kernel's hiddev driver. This flaw could allow a local attacker to corrupt kernel memory, possible privilege escalation or crashing the system. (CVE-2016-5829, Moderate) The CVE-2016-4470 issue was discovered by David Howells (Red Hat Inc.). Bug Fix(es): * Previously, when two NFS shares with different security settings were mounted, the I/O operations to the kerberos-authenticated mount caused the RPC_CRED_KEY_EXPIRE_SOON parameter to be set, but the parameter was not unset when performing the I/O operations on the sec=sys mount. Consequently, writes to both NFS shares had the same parameters, regardless of their security settings. This update fixes this problem by moving the NO_CRKEY_TIMEOUT parameter to the auth->au_flags field. As a result, NFS shares with different security settings are now handled as expected. (BZ#1366962) * In some circumstances, resetting a Fibre Channel over Ethernet (FCoE) interface could lead to a kernel panic, due to invalid information extracted from the FCoE header. This update adds santiy checking to the cpu number extracted from the FCoE header. This ensures that subsequent operations address a valid cpu, and eliminates the kernel panic. (BZ#1359036) * Prior to this update, the following problems occurred with the way GSF2 transitioned files and directories from the "unlinked" state to the "free" state: The numbers reported for the df and the du commands in some cases got out of sync, which caused blocks in the file system to appear missing. The blocks were not actually missing, but they were left in the "unlinked" state. In some circumstances, GFS2 referenced a cluster lock that was already deleted, which led to a kernel panic. If an object was deleted and its space reused as a different object, GFS2 sometimes deleted the existing one, which caused file system corruption. With this update, the transition from "unlinked" to "free" state has been fixed. As a result, none of these three problems occur anymore. (BZ#1359037) * Previously, the GFS2 file system in some cases became unresponsive due to lock dependency problems between inodes and the cluster lock. This occurred most frequently on nearly full file systems where files and directories were being deleted and recreated at the same block location at the same time. With this update, a set of patches has been applied to fix these lock dependencies. As a result, GFS2 no longer hangs in the described circumstances. (BZ#1359038) * When used with controllers that do not support DCMD- MR_DCMD_PD_LIST_QUERY, the megaraid_sas driver can go into infinite error reporting loop of error reporting messages. This could cause difficulties with finding other important log messages, or even it could cause the disk to overflow. This bug has been fixed by ignoring the DCMD MR_DCMD_PD_LIST_QUERY query for controllers which do not support it and sending the DCMD SUCCESS status to the AEN functions. As a result, the error messages no longer appear when there is a change in the status of one of the arrays. (BZ#1359039) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1341716 - CVE-2016-4470 kernel: Uninitialized variable in request_key handling causes kernel crash in error handling path 1350509 - CVE-2016-5829 kernel: Heap buffer overflow in hiddev driver 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: kernel-2.6.32-642.6.1.el6.src.rpm i386: kernel-2.6.32-642.6.1.el6.i686.rpm kernel-debug-2.6.32-642.6.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debug-devel-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-642.6.1.el6.i686.rpm kernel-devel-2.6.32-642.6.1.el6.i686.rpm kernel-headers-2.6.32-642.6.1.el6.i686.rpm perf-2.6.32-642.6.1.el6.i686.rpm perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm noarch: kernel-abi-whitelists-2.6.32-642.6.1.el6.noarch.rpm kernel-doc-2.6.32-642.6.1.el6.noarch.rpm kernel-firmware-2.6.32-642.6.1.el6.noarch.rpm x86_64: kernel-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-642.6.1.el6.i686.rpm kernel-debug-devel-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-common-i686-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-common-x86_64-2.6.32-642.6.1.el6.x86_64.rpm kernel-devel-2.6.32-642.6.1.el6.x86_64.rpm kernel-headers-2.6.32-642.6.1.el6.x86_64.rpm perf-2.6.32-642.6.1.el6.x86_64.rpm perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: kernel-debug-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-642.6.1.el6.i686.rpm perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm python-perf-2.6.32-642.6.1.el6.i686.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm x86_64: kernel-debug-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-642.6.1.el6.x86_64.rpm perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm python-perf-2.6.32-642.6.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: kernel-2.6.32-642.6.1.el6.src.rpm noarch: kernel-abi-whitelists-2.6.32-642.6.1.el6.noarch.rpm kernel-doc-2.6.32-642.6.1.el6.noarch.rpm kernel-firmware-2.6.32-642.6.1.el6.noarch.rpm x86_64: kernel-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-642.6.1.el6.i686.rpm kernel-debug-devel-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-common-i686-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-common-x86_64-2.6.32-642.6.1.el6.x86_64.rpm kernel-devel-2.6.32-642.6.1.el6.x86_64.rpm kernel-headers-2.6.32-642.6.1.el6.x86_64.rpm perf-2.6.32-642.6.1.el6.x86_64.rpm perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: kernel-debug-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-642.6.1.el6.x86_64.rpm perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm python-perf-2.6.32-642.6.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: kernel-2.6.32-642.6.1.el6.src.rpm i386: kernel-2.6.32-642.6.1.el6.i686.rpm kernel-debug-2.6.32-642.6.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debug-devel-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-642.6.1.el6.i686.rpm kernel-devel-2.6.32-642.6.1.el6.i686.rpm kernel-headers-2.6.32-642.6.1.el6.i686.rpm perf-2.6.32-642.6.1.el6.i686.rpm perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm noarch: kernel-abi-whitelists-2.6.32-642.6.1.el6.noarch.rpm kernel-doc-2.6.32-642.6.1.el6.noarch.rpm kernel-firmware-2.6.32-642.6.1.el6.noarch.rpm ppc64: kernel-2.6.32-642.6.1.el6.ppc64.rpm kernel-bootwrapper-2.6.32-642.6.1.el6.ppc64.rpm kernel-debug-2.6.32-642.6.1.el6.ppc64.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.ppc64.rpm kernel-debug-devel-2.6.32-642.6.1.el6.ppc64.rpm kernel-debuginfo-2.6.32-642.6.1.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-642.6.1.el6.ppc64.rpm kernel-devel-2.6.32-642.6.1.el6.ppc64.rpm kernel-headers-2.6.32-642.6.1.el6.ppc64.rpm perf-2.6.32-642.6.1.el6.ppc64.rpm perf-debuginfo-2.6.32-642.6.1.el6.ppc64.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.ppc64.rpm s390x: kernel-2.6.32-642.6.1.el6.s390x.rpm kernel-debug-2.6.32-642.6.1.el6.s390x.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.s390x.rpm kernel-debug-devel-2.6.32-642.6.1.el6.s390x.rpm kernel-debuginfo-2.6.32-642.6.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-642.6.1.el6.s390x.rpm kernel-devel-2.6.32-642.6.1.el6.s390x.rpm kernel-headers-2.6.32-642.6.1.el6.s390x.rpm kernel-kdump-2.6.32-642.6.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-642.6.1.el6.s390x.rpm kernel-kdump-devel-2.6.32-642.6.1.el6.s390x.rpm perf-2.6.32-642.6.1.el6.s390x.rpm perf-debuginfo-2.6.32-642.6.1.el6.s390x.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.s390x.rpm x86_64: kernel-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-642.6.1.el6.i686.rpm kernel-debug-devel-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-common-i686-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-common-x86_64-2.6.32-642.6.1.el6.x86_64.rpm kernel-devel-2.6.32-642.6.1.el6.x86_64.rpm kernel-headers-2.6.32-642.6.1.el6.x86_64.rpm perf-2.6.32-642.6.1.el6.x86_64.rpm perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): i386: kernel-debug-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-642.6.1.el6.i686.rpm perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm python-perf-2.6.32-642.6.1.el6.i686.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm ppc64: kernel-debug-debuginfo-2.6.32-642.6.1.el6.ppc64.rpm kernel-debuginfo-2.6.32-642.6.1.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-642.6.1.el6.ppc64.rpm perf-debuginfo-2.6.32-642.6.1.el6.ppc64.rpm python-perf-2.6.32-642.6.1.el6.ppc64.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.ppc64.rpm s390x: kernel-debug-debuginfo-2.6.32-642.6.1.el6.s390x.rpm kernel-debuginfo-2.6.32-642.6.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-642.6.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-642.6.1.el6.s390x.rpm perf-debuginfo-2.6.32-642.6.1.el6.s390x.rpm python-perf-2.6.32-642.6.1.el6.s390x.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.s390x.rpm x86_64: kernel-debug-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-642.6.1.el6.x86_64.rpm perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm python-perf-2.6.32-642.6.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: kernel-2.6.32-642.6.1.el6.src.rpm i386: kernel-2.6.32-642.6.1.el6.i686.rpm kernel-debug-2.6.32-642.6.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debug-devel-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-642.6.1.el6.i686.rpm kernel-devel-2.6.32-642.6.1.el6.i686.rpm kernel-headers-2.6.32-642.6.1.el6.i686.rpm perf-2.6.32-642.6.1.el6.i686.rpm perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm noarch: kernel-abi-whitelists-2.6.32-642.6.1.el6.noarch.rpm kernel-doc-2.6.32-642.6.1.el6.noarch.rpm kernel-firmware-2.6.32-642.6.1.el6.noarch.rpm x86_64: kernel-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-642.6.1.el6.i686.rpm kernel-debug-devel-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-common-i686-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-common-x86_64-2.6.32-642.6.1.el6.x86_64.rpm kernel-devel-2.6.32-642.6.1.el6.x86_64.rpm kernel-headers-2.6.32-642.6.1.el6.x86_64.rpm perf-2.6.32-642.6.1.el6.x86_64.rpm perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): i386: kernel-debug-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-642.6.1.el6.i686.rpm perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm python-perf-2.6.32-642.6.1.el6.i686.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm x86_64: kernel-debug-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-642.6.1.el6.x86_64.rpm perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm python-perf-2.6.32-642.6.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-4470 https://access.redhat.com/security/cve/CVE-2016-5829 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFX9CKhXlSAg2UNWIIRAtDIAJ4jq1XKyOvhk936eIn8YqaTfkJ9PQCdEyBk pvpRQNlcn7vpNO2lmcMjswg= =1otA -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ========================================================================== Ubuntu Security Notice USN-3070-1 August 29, 2016 linux vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS Summary: Several security issues were fixed in the kernel. A local user could exploit this flaw to gain access to any file by setting an ACL. (CVE-2016-1237) Kangjie Lu discovered an information leak in the Reliable Datagram Sockets (RDS) implementation in the Linux kernel. (CVE-2016-5244) James Patrick-Evans discovered that the airspy USB device driver in the Linux kernel did not properly handle certain error conditions. An attacker with physical access could use this to cause a denial of service (memory consumption). (CVE-2016-5400) Yue Cao et al discovered a flaw in the TCP implementation's handling of challenge acks in the Linux kernel. A remote attacker could use this to cause a denial of service (reset connection) or inject content into an TCP stream. (CVE-2016-5696) Pengfei Wang discovered a race condition in the MIC VOP driver in the Linux kernel. (CVE-2016-5728) Cyril Bur discovered that on PowerPC platforms, the Linux kernel mishandled transactional memory state on exec(). (CVE-2016-5829) It was discovered that the OverlayFS implementation in the Linux kernel did not properly verify dentry state before proceeding with unlink and rename operations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-6197) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: linux-image-4.4.0-36-generic 4.4.0-36.55 linux-image-4.4.0-36-generic-lpae 4.4.0-36.55 linux-image-4.4.0-36-lowlatency 4.4.0-36.55 linux-image-4.4.0-36-powerpc-e500mc 4.4.0-36.55 linux-image-4.4.0-36-powerpc-smp 4.4.0-36.55 linux-image-4.4.0-36-powerpc64-emb 4.4.0-36.55 linux-image-4.4.0-36-powerpc64-smp 4.4.0-36.55 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well

AFFECTED PRODUCTS