An information leak flaw was found in the way way segmentation was performed on skbs originated from vhost-net when zerocopy feature was enabled. Once the source skb is consumed, ubuf destructor is called and potentially releases the corresponding userspace buffers, which can then for example be repurposed, while the destination skb could still be pointing to the them.
This issue was discovered by Michael S. Tsirkin of Red Hat.
Upstream patch submission:
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1079006]
This issue does not affect Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG 2.
This issue affects the Linux kernel package as shipped with Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this issue as having Low security impact. The risks and engineering effort associated with fixing this bug are greater
than its security impact. This issue is not currently planned to be addressed
in future kernel updates for Red Hat Enterprise Linux 6. For additional
information, refer to the Issue Severity Classification:
kernel-3.13.7-200.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
kernel-3.13.7-100.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.