CVE-2016-0774

kernel: pipe buffer state corruption after unsuccessful atomic read from pipe

Severity Score

6.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in a certain Linux kernel backport in the linux package before 3.2.73-2+deb7u3 on Debian wheezy and the kernel package before 3.10.0-229.26.2 on Red Hat Enterprise Linux (RHEL) 7.1 do not properly consider the side effects of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an "I/O vector array overrun." NOTE: this vulnerability exists because of an incorrect fix for CVE-2015-1805.

Las implementaciones (1) pipe_read y (2) pipe_write en fs/pipe.c en un determinado backport del kernel de Linux en el paquete linux en versiones anteriores a 3.2.73-2+deb7u3 sobre Debian wheezy y el paquete kernel en versiones anteriores a 3.10.0-229.26.2 sobre Red Hat Enterprise Linux (RHEL) 7.1 no considera correctamente los efectos laterales de llamadas __copy_to_user_inatomic y __copy_from_user_inatomic fallidas, lo que permite a usuarios locales provocar una denegación de servicio (caída de sistema) o posiblemente obtener prvilegios a través de una aplicación manipulada, también conocido como un "I/O vector array overrun". NOTA: esta vulnerabilidad existe debido a una solución incorrecta para CVE-2015-1805.

It was found that the fix for CVE-2015-1805 incorrectly kept buffer offset and buffer length in sync on a failed atomic read, potentially resulting in a pipe buffer state corruption. A local, unprivileged user could use this flaw to crash the system or leak kernel memory to user space.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

Complete

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2015-12-16 CVE Reserved
2016-02-03 CVE Published
2023-03-08 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (25)

URL	Tag	Source
http://source.android.com/security/bulletin/2016-05-01.html	X_refsource_confirm
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html	X_refsource_confirm
http://www.securityfocus.com/bid/84126	Vdb Entry
https://security-tracker.debian.org/tracker/CVE-2016-0774	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00025.html	2016-12-03
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00026.html	2016-12-03
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00027.html	2016-12-03
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00028.html	2016-12-03
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00029.html	2016-12-03
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00030.html	2016-12-03
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00031.html	2016-12-03
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00032.html	2016-12-03
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00033.html	2016-12-03
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00034.html	2016-12-03
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00036.html	2016-12-03
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00037.html	2016-12-03
http://rhn.redhat.com/errata/RHSA-2016-0494.html	2016-12-03
http://rhn.redhat.com/errata/RHSA-2016-0617.html	2016-12-03
http://www.debian.org/security/2016/dsa-3503	2016-12-03
http://www.ubuntu.com/usn/USN-2967-1	2016-12-03
http://www.ubuntu.com/usn/USN-2967-2	2016-12-03
http://www.ubuntu.com/usn/USN-2968-1	2016-12-03
http://www.ubuntu.com/usn/USN-2968-2	2016-12-03
https://bugzilla.redhat.com/show_bug.cgi?id=1303961	2016-04-12
https://access.redhat.com/security/cve/CVE-2016-0774	2016-04-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				-		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				<= 6.0.1 Search vendor "Google" for product "Android" and version " <= 6.0.1"		-		Affected