Bug 1661503 (CVE-2018-16885)
Summary: | CVE-2018-16885 kernel: out-of-bound read in memcpy_fromiovecend() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vladis Dronov <vdronov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bhu, carnil, iboverma, jross, lgoncalv, matt, mcressma, nsl, ptikhomirov, rt-maint, vdronov, williams, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in the Linux kernel that allows the userspace to call memcpy_fromiovecend() and similar functions with a zero offset and buffer length. This can cause a read beyond the buffer boundaries flaw and, in certain cases, cause a memory access fault and a system halt by accessing invalid memory address.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-08-06 13:21:11 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1622337, 1666275, 1666276 | ||
Bug Blocks: | 1635030 |
Description
Vladis Dronov
2018-12-21 11:52:48 UTC
Acknowledgments: Name: Paolo Abeni (Red Hat) Any more information on this? Fixing commit and/or introducing commit? (In reply to Nicholas Luedtke from comment #3) > Any more information on this? Fixing commit and/or introducing commit? Hello, Nicholas, I apologize for not mentioning previously that this is a RHEL-only bug. This specific bug is indirectly fixed upstream by UFO removal, and the buggy memcpy_fromiovecend() (and related functions) are fixed by: commit 21226abb4e9f14d88238964d89b279e461ddc30c Author: Al Viro <viro.org.uk> Date: Fri Nov 28 15:48:29 2014 -0500 net: switch memcpy_fromiovec()/memcpy_fromiovecend() users to copy_from_iter() JFYI https://bugzilla.redhat.com/show_bug.cgi?id=1661503 https://lists.openvz.org/pipermail/devel/2018-December/072970.html (In reply to Pavel Tikhomirov from comment #7) > JFYI https://bugzilla.redhat.com/show_bug.cgi?id=1661503 > https://lists.openvz.org/pipermail/devel/2018-December/072970.html Sorry for inconvenience, I meant https://bugzilla.redhat.com/show_bug.cgi?id=1659451, but accidentally missed, we have similar issue where. And https://lists.openvz.org/pipermail/devel/2018-December/072970.html is a possible fix for it. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2029 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:2043 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-16885 |