A flaw was found in the Linux kernel in the handle_rx() function in the [vhost_net] driver. A malicious virtual guest under specific conditions can trigger an out-of-bounds write in a kmalloc-8 slab on a virtual host which may lead to a kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. References: https://seclists.org/oss-sec/2019/q1/94 Introducing commits: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e2b3b35eb9896f26c98b9a2c047d9111638059a2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f5a4941aa6d190e676065e8f4ed35999f52a01c3 The suggested patch: https://lore.kernel.org/netdev/20190128070505.18335-1-jasowang@redhat.com/T/#u https://marc.info/?t=154865913700007&r=1&w=2
Acknowledgements: Name: Jason Wang (Red Hat)
Notes on the flaw's impact: > is this guest triggerable (guest -> host) or host -> host? a vm guest can trigger an oob-write on a host but requires a large network packet to be received for it. > what is overwritten? kmalloc-8 slab on a vm host. > what's the minimum and maximum size of the out-of-bound write? from 8 bytes (sizeof vring_used_elem) to 504 bytes (63 * sizeof(vring_used_elem)) > does the attacker control the data that are written and if yes, to which degree? attacker can not directly control the data.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1669545]