A flaw was found in the Linux kernel that allows the userspace to call memcpy_fromiovecend() and similar functions with a zero offset and buffer length which causes the read beyond the buffer boundaries, in certain cases causing a memory access fault and a system halt by accessing invalid memory address. Note: this is a RHEL-only bug.
Acknowledgments: Name: Paolo Abeni (Red Hat)
Any more information on this? Fixing commit and/or introducing commit?
(In reply to Nicholas Luedtke from comment #3) > Any more information on this? Fixing commit and/or introducing commit? Hello, Nicholas, I apologize for not mentioning previously that this is a RHEL-only bug. This specific bug is indirectly fixed upstream by UFO removal, and the buggy memcpy_fromiovecend() (and related functions) are fixed by: commit 21226abb4e9f14d88238964d89b279e461ddc30c Author: Al Viro <viro.org.uk> Date: Fri Nov 28 15:48:29 2014 -0500 net: switch memcpy_fromiovec()/memcpy_fromiovecend() users to copy_from_iter()
JFYI https://bugzilla.redhat.com/show_bug.cgi?id=1661503 https://lists.openvz.org/pipermail/devel/2018-December/072970.html
(In reply to Pavel Tikhomirov from comment #7) > JFYI https://bugzilla.redhat.com/show_bug.cgi?id=1661503 > https://lists.openvz.org/pipermail/devel/2018-December/072970.html Sorry for inconvenience, I meant https://bugzilla.redhat.com/show_bug.cgi?id=1659451, but accidentally missed, we have similar issue where. And https://lists.openvz.org/pipermail/devel/2018-December/072970.html is a possible fix for it.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2029
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:2043
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-16885