Bug 1817718 (CVE-2020-10942) - CVE-2020-10942 kernel: vhost-net: stack overflow in get_raw_socket while checking sk_family field
Summary: CVE-2020-10942 kernel: vhost-net: stack overflow in get_raw_socket while chec...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10942
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1817719 1823299 1823300 1823301 1823302 1823303 1823304
Blocks: 1816523 1817720
TreeView+ depends on / blocked
 
Reported: 2020-03-26 19:31 UTC by Pedro Sampaio
Modified: 2024-03-25 15:46 UTC (History)
46 users (show)

Fixed In Version: kernel-5.5.8
Doc Type: If docs needed, set a value
Doc Text:
A stack buffer overflow issue was found in the get_raw_socket() routine of the Host kernel accelerator for virtio net (vhost-net) driver. It could occur while doing an ictol(VHOST_NET_SET_BACKEND) call, and retrieving socket name in a kernel stack variable via get_raw_socket(). A user able to perform ioctl(2) calls on the '/dev/vhost-net' device may use this flaw to crash the kernel resulting in DoS issue.
Clone Of:
Environment:
Last Closed: 2020-09-29 22:00:28 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:4416 0 None None None 2020-10-29 15:10:23 UTC
Red Hat Product Errata RHBA-2020:4417 0 None None None 2020-10-29 15:08:52 UTC
Red Hat Product Errata RHBA-2020:4418 0 None None None 2020-10-29 15:14:16 UTC
Red Hat Product Errata RHBA-2020:4419 0 None None None 2020-10-29 15:12:41 UTC
Red Hat Product Errata RHBA-2020:4420 0 None None None 2020-10-29 15:51:34 UTC
Red Hat Product Errata RHSA-2020:4060 0 None None None 2020-09-29 20:53:44 UTC
Red Hat Product Errata RHSA-2020:4062 0 None None None 2020-09-29 18:59:29 UTC
Red Hat Product Errata RHSA-2020:4431 0 None None None 2020-11-04 00:50:35 UTC
Red Hat Product Errata RHSA-2020:4609 0 None None None 2020-11-04 02:22:51 UTC

Description Pedro Sampaio 2020-03-26 19:31:19 UTC
In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks
validation of an sk_family field, which might allow attackers to trigger kernel
stack corruption via crafted system calls.

Upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42d84c8490f9f0931786f1623191fcab397c3d64

References:

https://lkml.org/lkml/2020/2/15/125

Comment 1 Pedro Sampaio 2020-03-26 19:31:58 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1817719]

Comment 2 Justin M. Forbes 2020-03-26 21:59:53 UTC
This was fixed for Fedora with the 5.5.8 stable kernel updates.

Comment 3 Prasad Pandit 2020-04-13 08:14:01 UTC
Statement:

This issue does not affect the kernel package as shipped with the Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG 2.
This issue affects the kernel package as shipped with the Red Hat Enterprise Linux 6, 7 and 8. Future kernel updates for Red Hat Enterprise Linux 6, 7 and 8 may address this issue.

It is rated to have Low impact because it is quite difficult/unlikely to be triggered by a guest (or even host) user. In case it does happen, like in the upstream report, the stack overflow shall hit the stack canaries, resulting in DoS by crashing the kernel.

Comment 5 errata-xmlrpc 2020-09-29 18:59:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4062 https://access.redhat.com/errata/RHSA-2020:4062

Comment 6 errata-xmlrpc 2020-09-29 20:53:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4060 https://access.redhat.com/errata/RHSA-2020:4060

Comment 7 Product Security DevOps Team 2020-09-29 22:00:28 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10942

Comment 23 errata-xmlrpc 2020-11-04 00:50:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4431 https://access.redhat.com/errata/RHSA-2020:4431

Comment 24 errata-xmlrpc 2020-11-04 02:22:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4609 https://access.redhat.com/errata/RHSA-2020:4609


Note You need to log in before you can comment on or make changes to this bug.