Bug 2240561 (CVE-2023-5158) - CVE-2023-5158 kernel: Possible DOS from guest to host invringh_kiov_advance in vhost driver at drivers/vhost/vringh.c
Summary: CVE-2023-5158 kernel: Possible DOS from guest to host invringh_kiov_advance i...
Keywords:
Status: NEW
Alias: CVE-2023-5158
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2240260
TreeView+ depends on / blocked
 
Reported: 2023-09-25 09:20 UTC by Rohit Keshri
Modified: 2023-10-11 07:35 UTC (History)
44 users (show)

Fixed In Version: kernel 5.13-rc1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in vringh_kiov_advance in drivers/vhost/vringh.c in the host side of a virtio ring in the Linux Kernel. This issue may result in a denial of service from guest to host via zero length descriptor.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Rohit Keshri 2023-09-25 09:20:47 UTC
A possible DOS from guest to host via zero length descriptor. This is because currently the vringh_kiov_advance() did something like this:

            while (len && iov->i < iov->used) {
                    ...
                    if (!iov->iov[iov->i].iov_len) {
                            ...
                            iov->i++;
                    }
            }

When the length of the descriptor is zero, we miss the chance to advance iov->i.

The fix is to revert b8c06ad4d67db56ed6bdfb685c134da74e92a2c7 ("vringh: implement vringh_kiov_advance()").

Comment 6 Stefano Garzarella 2023-09-25 12:52:22 UTC
(In reply to Rohit Keshri from comment #0)
> 
> The fix is to revert b8c06ad4d67db56ed6bdfb685c134da74e92a2c7 ("vringh:
> implement vringh_kiov_advance()").

We use vringh_kiov_advance() also in vdpa-sim-blk, so we can't just revert that patch.
So I just posted a patch reverting only the changes in vringh_iov_xfer() that should fix the issue reported in this BZ:

https://lore.kernel.org/virtualization/20230925103057.104541-1-sgarzare@redhat.com/T/#u

Comment 7 Salvatore Bonaccorso 2023-09-25 20:49:37 UTC
The Bugzilla entry mentions "Fixed In Version: 	kernel 5.13-rc1" but that should rather be that this version is introducing the issue.

Comment 8 Rohit Keshri 2023-09-27 18:38:29 UTC
In reply to comment #7:
> The Bugzilla entry mentions "Fixed In Version: 	kernel 5.13-rc1" but that
> should rather be that this version is introducing the issue.

Thanks Carnil for correction.

$ git describe --contains  b8c06ad4d67db56ed6bdfb685c134da74e92a2c7
v5.13-rc1~42^2~14

This is the patch that possibly introduces the DOS.

Comment 9 Stefano Garzarella 2023-10-11 07:35:34 UTC
Patch mentioned in comment 6 now merged upstream and in stable branches: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7aed44babc7f97e82b38e9a68515e699692cc100


Note You need to log in before you can comment on or make changes to this bug.