Bug 1750727 (CVE-2019-14835)

Summary: CVE-2019-14835 kernel: vhost-net: guest to host kernel escape during migration
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, ailan, airlied, asavkov, bdettelb, bhu, blc, brdeoliv, bskeggs, dblechte, dfediuck, dhoward, dvlasenk, eedri, eperezma, fhrbata, hdegoede, hkrzesin, ichavero, itamar, jarodwilson, jasowang, jeremy, jforbes, jglisse, jlelli, joe.lawrence, john.j5live, jonathan, josef, jpadman, jpoimboe, jschorr, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, knoel, labbott, lgoncalv, linville, masami256, mchehab, mgoldboi, michal.skrivanek, mjg59, mlangsdo, mst, mvanderw, nmurray, plougher, pmatouse, rhandlin, rvrbovsk, sbonazzo, security-response-team, shdunne, sherold, steved, tvignaud, williams, wquan, yozone, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow flaw was found in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host. In the worst case (and likely most common virtualization) scenario this flaw affects KVM/qemu hypervisor enabled hosts running Linux guests.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-20 12:45:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1750869, 1750870, 1750871, 1750872, 1750873, 1750874, 1750875, 1750876, 1750877, 1750878, 1750879, 1750880, 1750881, 1750882, 1750883, 1750884, 1750885, 1750886, 1750887, 1750888, 1750892, 1751435, 1751436, 1751437, 1752525, 1752526, 1752794    
Bug Blocks: 1750783, 1751561, 1751562, 1751563, 1751564, 1751565, 1751566    

Description msiddiqu 2019-09-10 11:27:20 UTC 
A buffer overflow flaw was found in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.
Comment 1 msiddiqu 2019-09-10 11:27:26 UTC 
Acknowledgments:

Name: Peter Pi (Tencent Blade Team)
Comment 13 Petr Matousek 2019-09-16 16:19:22 UTC 
Upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=060423bfdee3f8bc6e2c1bac97de24d5415e2bc4
Comment 17 Petr Matousek 2019-09-17 08:57:14 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1752794]
Comment 23 Doran Moppert 2019-09-19 02:53:41 UTC 
External References:

https://access.redhat.com/security/vulnerabilities/kernel-vhost
https://www.openwall.com/lists/oss-security/2019/09/17/1
Comment 24 Petr Matousek 2019-09-19 07:18:34 UTC 
Statement:

Red Hat Product Security is aware of this issue. Updates will be released as they become available. For additional information, please refer to the Red Hat Knowledgebase article: https://access.redhat.com/security/vulnerabilities/kernel-vhost
Comment 25 Petr Matousek 2019-09-19 07:18:38 UTC 
Mitigation:

For mitigation related information, please refer to the Red Hat Knowledgebase article: https://access.redhat.com/security/vulnerabilities/kernel-vhost
Comment 28 errata-xmlrpc 2019-09-20 06:26:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2828 https://access.redhat.com/errata/RHSA-2019:2828
Comment 29 errata-xmlrpc 2019-09-20 06:30:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2827 https://access.redhat.com/errata/RHSA-2019:2827
Comment 30 errata-xmlrpc 2019-09-20 06:45:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2830 https://access.redhat.com/errata/RHSA-2019:2830
Comment 31 errata-xmlrpc 2019-09-20 07:44:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2829 https://access.redhat.com/errata/RHSA-2019:2829
Comment 32 Product Security DevOps Team 2019-09-20 12:45:40 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14835
Comment 33 errata-xmlrpc 2019-09-21 17:22:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2854 https://access.redhat.com/errata/RHSA-2019:2854
Comment 36 errata-xmlrpc 2019-09-23 09:14:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2862 https://access.redhat.com/errata/RHSA-2019:2862
Comment 37 errata-xmlrpc 2019-09-23 09:25:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:2863 https://access.redhat.com/errata/RHSA-2019:2863
Comment 38 errata-xmlrpc 2019-09-23 11:10:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2019:2865 https://access.redhat.com/errata/RHSA-2019:2865
Comment 39 errata-xmlrpc 2019-09-23 11:29:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:2866 https://access.redhat.com/errata/RHSA-2019:2866
Comment 40 errata-xmlrpc 2019-09-23 11:41:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2019:2864 https://access.redhat.com/errata/RHSA-2019:2864
Comment 41 errata-xmlrpc 2019-09-23 12:32:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support

Via RHSA-2019:2869 https://access.redhat.com/errata/RHSA-2019:2869
Comment 42 errata-xmlrpc 2019-09-23 12:38:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2019:2867 https://access.redhat.com/errata/RHSA-2019:2867
Comment 43 errata-xmlrpc 2019-09-24 12:45:29 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:2889 https://access.redhat.com/errata/RHSA-2019:2889
Comment 45 errata-xmlrpc 2019-09-25 12:12:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2019:2901 https://access.redhat.com/errata/RHSA-2019:2901
Comment 46 errata-xmlrpc 2019-09-25 12:17:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Telco Extended Update Support
  Red Hat Enterprise Linux 7.2 Advanced Update Support
  Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions

Via RHSA-2019:2899 https://access.redhat.com/errata/RHSA-2019:2899
Comment 47 errata-xmlrpc 2019-09-25 12:25:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Telco Extended Update Support
  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions

Via RHSA-2019:2900 https://access.redhat.com/errata/RHSA-2019:2900
Comment 48 errata-xmlrpc 2019-09-27 13:07:38 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4.2 for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:2924 https://access.redhat.com/errata/RHSA-2019:2924