The archpickmmaplayout function in arch/x86/mm/mmap.c in the Linux kernel through 4.5.2 does not properly randomize the legacy base address, which makes it easier for local users to defeat the intended restrictions on the ADDRNO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits.
{ "vanir_signatures": [ { "digest": { "length": 148.0, "function_hash": "12262058228002293036579320837110046121" }, "signature_type": "Function", "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@8b8addf891de8a00e4d39fc32f93f7c5eb8feceb", "id": "CVE-2016-3672-17ed2347", "target": { "function": "mmap_legacy_base", "file": "arch/x86/mm/mmap.c" }, "deprecated": false }, { "digest": { "length": 390.0, "function_hash": "337923649422083169272906529899686825784" }, "signature_type": "Function", "signature_version": "v1", "source": "https://github.com/torvalds/linux/commit/8b8addf891de8a00e4d39fc32f93f7c5eb8feceb", "id": "CVE-2016-3672-273d8628", "target": { "function": "arch_pick_mmap_layout", "file": "arch/x86/mm/mmap.c" }, "deprecated": false }, { "digest": { "length": 390.0, "function_hash": "337923649422083169272906529899686825784" }, "signature_type": "Function", "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@8b8addf891de8a00e4d39fc32f93f7c5eb8feceb", "id": "CVE-2016-3672-2be30f98", "target": { "function": "arch_pick_mmap_layout", "file": "arch/x86/mm/mmap.c" }, "deprecated": false }, { "digest": { "threshold": 0.9, "line_hashes": [ "310955383141172883723769897838031196201", "10078852435386304177340254172168730284", "142551720889528303982449201894588042163", "211364312333197333046685615551103385039", "86883987915578718486919967333346351929", "39820543812093746194900920770231966016", "62910611632403776878417943244811298288", "250575064094845594122593264805055532772", "160915947991435977605692101816003253021", "294974935531207182004257618190932867523", "40414554036747411674331107811778284981", "115347927568873262382167381559462126887", "49514056756537881156558859432960385418", "337725944621568768556785855349789145566" ] }, "signature_type": "Line", "signature_version": "v1", "source": "https://github.com/torvalds/linux/commit/8b8addf891de8a00e4d39fc32f93f7c5eb8feceb", "id": "CVE-2016-3672-906151b9", "target": { "file": "arch/x86/mm/mmap.c" }, "deprecated": false }, { "digest": { "threshold": 0.9, "line_hashes": [ "310955383141172883723769897838031196201", "10078852435386304177340254172168730284", "142551720889528303982449201894588042163", "211364312333197333046685615551103385039", "86883987915578718486919967333346351929", "39820543812093746194900920770231966016", "62910611632403776878417943244811298288", "250575064094845594122593264805055532772", "160915947991435977605692101816003253021", "294974935531207182004257618190932867523", "40414554036747411674331107811778284981", "115347927568873262382167381559462126887", "49514056756537881156558859432960385418", "337725944621568768556785855349789145566" ] }, "signature_type": "Line", "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@8b8addf891de8a00e4d39fc32f93f7c5eb8feceb", "id": "CVE-2016-3672-d2cce3de", "target": { "file": "arch/x86/mm/mmap.c" }, "deprecated": false }, { "digest": { "length": 148.0, "function_hash": "12262058228002293036579320837110046121" }, "signature_type": "Function", "signature_version": "v1", "source": "https://github.com/torvalds/linux/commit/8b8addf891de8a00e4d39fc32f93f7c5eb8feceb", "id": "CVE-2016-3672-d44b604e", "target": { "function": "mmap_legacy_base", "file": "arch/x86/mm/mmap.c" }, "deprecated": false } ] }