// For flags

CVE-2016-4913

kernel: Information leak when handling NM entries containing NUL

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel before 4.5.5 mishandles NM (aka alternate name) entries containing \0 characters, which allows local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem.

La función get_rock_ridge_filename en fs/isofs/rock.c en el kernel de Linux en versiones anteriores a 4.5.5 no maneja correctamente entradas NM (también conocidas como alternate name) que contienen caracteres \0, lo que permite a usuarios locales obtener información sensible del kernel de memoria o posiblemente tener otro impacto no especificado a través de un sistema de archivo isofs manipulado.

A vulnerability was found in the Linux kernel. Payloads of NM entries are not supposed to contain NUL. When such entry is processed, only the part prior to the first NUL goes into the concatenation (i.e. the directory entry name being encoded by a bunch of NM entries). The process stops when the amount collected so far + the claimed amount in the current NM entry exceed 254. However, the value returned as the total length is the sum of *claimed* sizes, not the actual amount collected. And that's what will be passed to readdir() callback as the name length - 8Kb __copy_to_user() from a buffer allocated by __get_free_page().

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-05-18 CVE Reserved
  • 2016-05-23 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-06 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (28)
URL Tag Source
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html Third Party Advisory
http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html Third Party Advisory
http://www.securityfocus.com/bid/90730 Third Party Advisory
URL Date SRC
URL Date SRC
http://www.openwall.com/lists/oss-security/2016/05/18/3 2023-09-12
http://www.openwall.com/lists/oss-security/2016/05/18/5 2023-09-12
URL Date SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=99d825822eade8d827a1817357cbf3f889a552d6 2023-09-12
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00052.html 2023-09-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00007.html 2023-09-12
http://www.debian.org/security/2016/dsa-3607 2023-09-12
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.5 2023-09-12
http://www.ubuntu.com/usn/USN-3016-1 2023-09-12
http://www.ubuntu.com/usn/USN-3016-2 2023-09-12
http://www.ubuntu.com/usn/USN-3016-3 2023-09-12
http://www.ubuntu.com/usn/USN-3016-4 2023-09-12
http://www.ubuntu.com/usn/USN-3017-1 2023-09-12
http://www.ubuntu.com/usn/USN-3017-2 2023-09-12
http://www.ubuntu.com/usn/USN-3017-3 2023-09-12
http://www.ubuntu.com/usn/USN-3018-1 2023-09-12
http://www.ubuntu.com/usn/USN-3018-2 2023-09-12
http://www.ubuntu.com/usn/USN-3019-1 2023-09-12
http://www.ubuntu.com/usn/USN-3020-1 2023-09-12
http://www.ubuntu.com/usn/USN-3021-1 2023-09-12
http://www.ubuntu.com/usn/USN-3021-2 2023-09-12
https://access.redhat.com/errata/RHSA-2018:3083 2023-09-12
https://access.redhat.com/errata/RHSA-2018:3096 2023-09-12
https://bugzilla.redhat.com/show_bug.cgi?id=1337528 2018-10-30
https://github.com/torvalds/linux/commit/99d825822eade8d827a1817357cbf3f889a552d6 2023-09-12
https://access.redhat.com/security/cve/CVE-2016-4913 2018-10-30
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 12.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"
lts
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 14.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"
lts
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 15.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "15.10"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 16.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"
lts
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 < 3.2.81
Search vendor "Linux" for product "Linux Kernel" and version " < 3.2.81"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.3 < 3.10.102
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.3 < 3.10.102"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.11 < 3.12.60
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.11 < 3.12.60"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.13 < 3.14.70
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 3.14.70"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.15 < 3.16.36
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.15 < 3.16.36"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.17 < 3.18.34
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.17 < 3.18.34"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.19 < 4.1.25
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 4.1.25"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 4.2 < 4.4.11
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 4.4.11"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 4.5 < 4.5.5
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.5 < 4.5.5"
-
Affected
Oracle
Search vendor "Oracle"
 Linux
Search vendor "Oracle" for product "Linux"
 6
Search vendor "Oracle" for product "Linux" and version "6"
-
Affected
Novell
Search vendor "Novell"
 Suse Linux Enterprise Software Development Kit
Search vendor "Novell" for product "Suse Linux Enterprise Software Development Kit"
 11.0
Search vendor "Novell" for product "Suse Linux Enterprise Software Development Kit" and version "11.0"
sp4
Affected
Novell
Search vendor "Novell"
 Suse Linux Enterprise Debuginfo
Search vendor "Novell" for product "Suse Linux Enterprise Debuginfo"
 11.0
Search vendor "Novell" for product "Suse Linux Enterprise Debuginfo" and version "11.0"
sp4
Affected
Novell
Search vendor "Novell"
 Suse Linux Enterprise Server
Search vendor "Novell" for product "Suse Linux Enterprise Server"
 11.0
Search vendor "Novell" for product "Suse Linux Enterprise Server" and version "11.0"
extra
Affected
Novell
Search vendor "Novell"
 Suse Linux Enterprise Server
Search vendor "Novell" for product "Suse Linux Enterprise Server"
 11.0
Search vendor "Novell" for product "Suse Linux Enterprise Server" and version "11.0"
sp4
Affected