CVE-2016-6187
published 2016-08-06CVE-2016-6187: The apparmor_setprocattr function in security/apparmor/lsm.c in the Linux kernel before 4.6.5 does not validate the buffer size, which allows local users to…
PriorityP349high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
2.40%
81.9th percentile
The apparmor_setprocattr function in security/apparmor/lsm.c in the Linux kernel before 4.6.5 does not validate the buffer size, which allows local users to gain privileges by triggering an AppArmor setprocattr hook.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | < linux 4.6.4-1 (bookworm) | linux 4.6.4-1 (bookworm) |
| linux | linux_kernel | >= 0 < 4.6.4-1 | 4.6.4-1 |
| linux | linux_kernel | >= 0 < 4.6.4-1 | 4.6.4-1 |
| linux | linux_kernel | >= 0 < 4.6.4-1 | 4.6.4-1 |
| linux | linux_kernel | >= 0 < 4.6.4-1 | 4.6.4-1 |
| linux | linux_kernel | >= 4.5 < 4.6.5 | 4.6.5 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f2rr-m524-j23q: The apparmor_setprocattr function in security/apparmor/lsm
ghsa_unreviewed·2022-05-17
CVE-2016-6187 [HIGH] CWE-119 GHSA-f2rr-m524-j23q: The apparmor_setprocattr function in security/apparmor/lsm
The apparmor_setprocattr function in security/apparmor/lsm.c in the Linux kernel before 4.6.5 does not validate the buffer size, which allows local users to gain privileges by triggering an AppArmor setprocattr hook.
Kernel
userfaultfd: add UFFD_USER_MODE_ONLY
kernel_security·2020-12-14
userfaultfd: add UFFD_USER_MODE_ONLY
userfaultfd: add UFFD_USER_MODE_ONLY
Patch series "Control over userfaultfd kernel-fault handling", v6.
This patch series is split from [1]. The other series enables SELinux
support for userfaultfd file descriptors so that its creation and movement
can be controlled.
It has been demonstrated on various occasions that suspending kernel code
execution for an arbitrary amount of time at any access to userspace
memory (copy_from_user()/copy_to_user()/...) can be exploited to change
the intended behavior of the kernel. For instance, handling page faults
in kernel-mode using userfaultfd has been exploited in [2, 3]. Likewise,
FUSE, which is similar to userfaultfd in this respect, has been exploited
in [4, 5] for similar outcome.
This small patch series adds a new flag to userfaultfd(2) that
Kernel
mm: add SLUB free list pointer obfuscation
kernel_security·2017-09-06
mm: add SLUB free list pointer obfuscation
mm: add SLUB free list pointer obfuscation
This SLUB free list pointer obfuscation code is modified from Brad
Spengler/PaX Team's code in the last public patch of grsecurity/PaX
based on my understanding of the code. Changes or omissions from the
original code are mine and don't reflect the original grsecurity/PaX
code.
This adds a per-cache random value to SLUB caches that is XORed with
their freelist pointer address and value. This adds nearly zero
overhead and frustrates the very common heap overflow exploitation
method of overwriting freelist pointers.
A recent example of the attack is written up here:
http://cyseclabs.com/blog/cve-2016-6187-heap-off-by-one-exploit
and there is a section dedicated to the technique the book "A Guide to
Kernel Exploitation: Attacking the Core".
Thi
OSV
CVE-2016-6187: The apparmor_setprocattr function in security/apparmor/lsm
osv·2016-08-06·CVSS 7.8
CVE-2016-6187 [HIGH] CVE-2016-6187: The apparmor_setprocattr function in security/apparmor/lsm
The apparmor_setprocattr function in security/apparmor/lsm.c in the Linux kernel before 4.6.5 does not validate the buffer size, which allows local users to gain privileges by triggering an AppArmor setprocattr hook.
Red Hat
kernel: apparmor: Potential privilege escalation via oops in apparmor_setprocattr()
vendor_redhat·2016-07-08·CVSS 7.8
CVE-2016-6187 [HIGH] CWE-131 kernel: apparmor: Potential privilege escalation via oops in apparmor_setprocattr()
kernel: apparmor: Potential privilege escalation via oops in apparmor_setprocattr()
The apparmor_setprocattr function in security/apparmor/lsm.c in the Linux kernel before 4.6.5 does not validate the buffer size, which allows local users to gain privileges by triggering an AppArmor setprocattr hook.
A vulnerability leading to a local privilege escalation was found in apparmor in the Linux kernel. When proc_pid_attr_write() was changed to use memdup_user apparmor's (interface violating) assumption that the setprocattr buffer was always a single page was violated.
Statement: Red Hat Enterprise Linux is not affected by this flaw as CONFIG_SECURITY_APPARMOR is not enabled in any current shipping kernels.
Package: kernel (Red Hat Enterprise Linux 5) - Not affected
Package: kernel (Red Hat
Debian
CVE-2016-6187: linux - The apparmor_setprocattr function in security/apparmor/lsm.c in the Linux kernel...
vendor_debian·2016·CVSS 7.8
CVE-2016-6187 [HIGH] CVE-2016-6187: linux - The apparmor_setprocattr function in security/apparmor/lsm.c in the Linux kernel...
The apparmor_setprocattr function in security/apparmor/lsm.c in the Linux kernel before 4.6.5 does not validate the buffer size, which allows local users to gain privileges by triggering an AppArmor setprocattr hook.
Scope: local
bookworm: resolved (fixed in 4.6.4-1)
bullseye: resolved (fixed in 4.6.4-1)
forky: resolved (fixed in 4.6.4-1)
sid: resolved (fixed in 4.6.4-1)
trixie: resolved (fixed in 4.6.4-1)
No detection rules found.
Bugzilla
CVE-2016-6187 kernel: apparmor: Potential privilege escalation via oops in apparmor_setprocattr() [fedora-all]
bugzilla·2016-07-11·CVSS 7.8
CVE-2016-6187 [HIGH] CVE-2016-6187 kernel: apparmor: Potential privilege escalation via oops in apparmor_setprocattr() [fedora-all]
CVE-2016-6187 kernel: apparmor: Potential privilege escalation via oops in apparmor_setprocattr() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affect
Bugzilla
CVE-2016-6187 kernel: apparmor: Potential privilege escalation via oops in apparmor_setprocattr()
bugzilla·2016-07-11·CVSS 7.8
CVE-2016-6187 [HIGH] CVE-2016-6187 kernel: apparmor: Potential privilege escalation via oops in apparmor_setprocattr()
CVE-2016-6187 kernel: apparmor: Potential privilege escalation via oops in apparmor_setprocattr()
A vulnerability leading to a local privilege escalation was found in apparmor in the Linux kernel. When proc_pid_attr_write() was changed to use memdup_user apparmor's (interface violating) assumption that the setprocattr buffer was always a single page was violated.
Upstream pull request:
http://marc.info/?l=linux-kernel&m=146793642811929&w=2
Upstream fix:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=30a46a4647fd1df9cf52e43bf467f0d9265096ca
References:
http://seclists.org/oss-sec/2016/q3/30
Discussion:
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1354385]
---
Statement:
Red Hat Enterprise Linux is not affected by this flaw as
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=30a46a4647fd1df9cf52e43bf467f0d9265096cahttp://marc.info/?l=linux-kernel&m=146793642811929&w=2http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.6.5http://www.openwall.com/lists/oss-security/2016/07/09/2http://www.securityfocus.com/bid/91696https://bugzilla.redhat.com/show_bug.cgi?id=1354383https://github.com/torvalds/linux/commit/30a46a4647fd1df9cf52e43bf467f0d9265096cahttp://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=30a46a4647fd1df9cf52e43bf467f0d9265096cahttp://marc.info/?l=linux-kernel&m=146793642811929&w=2http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.6.5http://www.openwall.com/lists/oss-security/2016/07/09/2http://www.securityfocus.com/bid/91696https://bugzilla.redhat.com/show_bug.cgi?id=1354383https://github.com/torvalds/linux/commit/30a46a4647fd1df9cf52e43bf467f0d9265096ca
2016-08-06
Published