Bug 1661503 (CVE-2018-16885)
| Summary: | CVE-2018-16885 kernel: out-of-bound read in memcpy_fromiovecend() | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vladislav Dronov <vdronov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | bhu, carnil, iboverma, jross, kernel-mgr, lgoncalv, matt, mcressma, nsl, ptikhomirov, rhel-process-autobot, rt-maint, vdronov, watson-tool-maintainers, williams, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in the Linux kernel that allows the userspace to call memcpy_fromiovecend() and similar functions with a zero offset and buffer length. This can cause a read beyond the buffer boundaries flaw and, in certain cases, cause a memory access fault and a system halt by accessing invalid memory address.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-06 13:21:11 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1622337, 1666275, 1666276 | ||
| Bug Blocks: | 1635030 | ||
|
Description
Vladislav Dronov
2018-12-21 11:52:48 UTC
Acknowledgments: Name: Paolo Abeni (Red Hat) Any more information on this? Fixing commit and/or introducing commit? (In reply to Nicholas Luedtke from comment #3) > Any more information on this? Fixing commit and/or introducing commit? Hello, Nicholas, I apologize for not mentioning previously that this is a RHEL-only bug. This specific bug is indirectly fixed upstream by UFO removal, and the buggy memcpy_fromiovecend() (and related functions) are fixed by: commit 21226abb4e9f14d88238964d89b279e461ddc30c Author: Al Viro <viro.org.uk> Date: Fri Nov 28 15:48:29 2014 -0500 net: switch memcpy_fromiovec()/memcpy_fromiovecend() users to copy_from_iter() JFYI https://bugzilla.redhat.com/show_bug.cgi?id=1661503 https://lists.openvz.org/pipermail/devel/2018-December/072970.html (In reply to Pavel Tikhomirov from comment #7) > JFYI https://bugzilla.redhat.com/show_bug.cgi?id=1661503 > https://lists.openvz.org/pipermail/devel/2018-December/072970.html Sorry for inconvenience, I meant https://bugzilla.redhat.com/show_bug.cgi?id=1659451, but accidentally missed, we have similar issue where. And https://lists.openvz.org/pipermail/devel/2018-December/072970.html is a possible fix for it. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2029 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:2043 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-16885 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Extended Lifecycle Support - EXTENSION Via RHSA-2026:14823 https://access.redhat.com/errata/RHSA-2026:14823 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2026:14869 https://access.redhat.com/errata/RHSA-2026:14869 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2026:14925 https://access.redhat.com/errata/RHSA-2026:14925 |