A flaw was found in the Linux kernel in the handle_rx() function in the [vhost_net] driver. A malicious virtual guest under specific conditions can trigger an out-of-bounds write in a kmalloc-8 slab on a virtual host which may lead to a kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.
The suggested patch:
Name: Jason Wang (Red Hat)
Notes on the flaw's impact:
> is this guest triggerable (guest -> host) or host -> host?
a vm guest can trigger an oob-write on a host but requires a large network packet to be received for it.
> what is overwritten?
kmalloc-8 slab on a vm host.
> what's the minimum and maximum size of the out-of-bound write?
from 8 bytes (sizeof vring_used_elem) to 504 bytes (63 * sizeof(vring_used_elem))
> does the attacker control the data that are written and if yes, to which degree?
attacker can not directly control the data.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1669545]