Bug 1698757 (CVE-2019-3900)

Summary: CVE-2019-3900 Kernel: vhost_net: infinite loop while receiving packets leads to DoS
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, mvanderw, nmurray, plougher, rt-maint, rvrbovsk, security-response-team, steved, williams, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx(). The infinite loop could occur if one end sends packets faster than the other end can process them. A guest user, maybe a remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-30 19:18:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1702940, 1702941, 1702942, 1702943, 1702944, 1702945, 1702946, 1702947, 1702948, 1702949, 1702950, 1738494, 1759703, 1759704, 1759705, 1759706    
Bug Blocks: 1698754    

Description Andrej Nemec 2019-04-11 07:58:29 UTC 
An infinite loop issue was found in the vhost_net kernel module, while handling
incoming packets in handle_rx(). It could occur if one end sends packets faster
than the other end can process them.

A guest user, maybe remote one, could use this flaw to stall the vhost_net kernel
thread, resulting in a DoS scenario.

Upstream patch:
---------------
  -> https://www.spinics.net/lists/kernel/msg3111012.html

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2019/04/25/2
Comment 2 Prasad Pandit 2019-04-22 07:42:38 UTC 
Acknowledgments:

Name: Jason Wang (Red Hat Inc.)
Comment 3 Prasad Pandit 2019-04-25 09:01:22 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1702940]
Comment 6 Fedora Update System 2019-05-07 04:50:08 UTC 
kernel-5.0.11-100.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Eric Christensen 2019-05-08 13:38:20 UTC 
Statement:

This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG 2.

This issue affects the version of Linux kernel as shipped with Red Hat Enterprise Linux 6 and 7. Future kernel updates for Red Hat Enterprise Linux 6 and 7 may address this issue.
Comment 8 errata-xmlrpc 2019-07-30 13:17:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1973 https://access.redhat.com/errata/RHSA-2019:1973
Comment 9 Product Security DevOps Team 2019-07-30 19:18:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3900
Comment 10 errata-xmlrpc 2019-08-06 12:04:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2029
Comment 11 errata-xmlrpc 2019-08-06 12:07:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:2043
Comment 14 errata-xmlrpc 2019-10-29 13:12:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2019:3220 https://access.redhat.com/errata/RHSA-2019:3220
Comment 16 errata-xmlrpc 2019-11-05 20:35:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3309 https://access.redhat.com/errata/RHSA-2019:3309
Comment 17 errata-xmlrpc 2019-11-05 21:06:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3517 https://access.redhat.com/errata/RHSA-2019:3517
Comment 18 errata-xmlrpc 2019-11-12 20:57:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:3836 https://access.redhat.com/errata/RHSA-2019:3836
Comment 20 errata-xmlrpc 2019-11-26 11:52:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:3967 https://access.redhat.com/errata/RHSA-2019:3967
Comment 21 errata-xmlrpc 2019-12-03 08:25:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2019:4058 https://access.redhat.com/errata/RHSA-2019:4058
Comment 22 errata-xmlrpc 2020-01-22 21:26:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0204 https://access.redhat.com/errata/RHSA-2020:0204