Bug 1656472 (CVE-2018-16880)

Summary: CVE-2018-16880 kernel: Out of bounds write in get_rx_bufs() function in drivers/vhost/net.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jasowang, jeremy, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, rt-maint, rvrbovsk, security-response-team, steved, vdronov, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's handle_rx() function in the [vhost_net] driver. A malicious virtual guest, under specific conditions, can trigger an out-of-bounds write in a kmalloc-8 slab on a virtual host which may lead to a kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:43:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1668665, 1668666, 1669545    
Bug Blocks: 1656474    

Description Pedro Sampaio 2018-12-05 15:22:09 UTC 
A flaw was found in the Linux kernel in the handle_rx() function in the [vhost_net] driver. A malicious virtual guest under specific conditions can trigger an out-of-bounds write in a kmalloc-8 slab on a virtual host which may lead to a kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.

References:

https://seclists.org/oss-sec/2019/q1/94

Introducing commits:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e2b3b35eb9896f26c98b9a2c047d9111638059a2

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f5a4941aa6d190e676065e8f4ed35999f52a01c3

The suggested patch:

https://lore.kernel.org/netdev/20190128070505.18335-1-jasowang@redhat.com/T/#u

https://marc.info/?t=154865913700007&r=1&w=2
Comment 2 Vladis Dronov 2018-12-13 15:12:33 UTC 
Acknowledgements:

Name: Jason Wang (Red Hat)
Comment 4 Vladis Dronov 2018-12-13 16:02:58 UTC 
Notes on the flaw's impact:

> is this guest triggerable (guest -> host) or host -> host?

a vm guest can trigger an oob-write on a host but requires a large network packet to be received for it.

> what is overwritten?

kmalloc-8 slab on a vm host.

> what's the minimum and maximum size of the out-of-bound write?

from 8 bytes (sizeof vring_used_elem) to 504 bytes (63 * sizeof(vring_used_elem))

> does the attacker control the data that are written and if yes, to which degree?

attacker can not directly control the data.
Comment 6 Vladis Dronov 2019-01-25 15:47:53 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1669545]