Bug 1656472 (CVE-2018-16880) - CVE-2018-16880 kernel: Out of bounds write in get_rx_bufs() function in drivers/vhost/net.c
Summary: CVE-2018-16880 kernel: Out of bounds write in get_rx_bufs() function in drive...
Status: NEW
Alias: CVE-2018-16880
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20190125,repo...
Keywords: Security
Depends On: 1668665 1668666 1669545
Blocks: 1656474
TreeView+ depends on / blocked
 
Reported: 2018-12-05 15:22 UTC by Pedro Sampaio
Modified: 2019-02-08 15:01 UTC (History)
45 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's handle_rx() function in the [vhost_net] driver. A malicious virtual guest, under specific conditions, can trigger an out-of-bounds write in a kmalloc-8 slab on a virtual host which may lead to a kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Pedro Sampaio 2018-12-05 15:22:09 UTC
A flaw was found in the Linux kernel in the handle_rx() function in the [vhost_net] driver. A malicious virtual guest under specific conditions can trigger an out-of-bounds write in a kmalloc-8 slab on a virtual host which may lead to a kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.

References:

https://seclists.org/oss-sec/2019/q1/94

Introducing commits:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e2b3b35eb9896f26c98b9a2c047d9111638059a2

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f5a4941aa6d190e676065e8f4ed35999f52a01c3

The suggested patch:

https://lore.kernel.org/netdev/20190128070505.18335-1-jasowang@redhat.com/T/#u

https://marc.info/?t=154865913700007&r=1&w=2

Comment 2 Vladis Dronov 2018-12-13 15:12:33 UTC
Acknowledgements:

Name: Jason Wang (Red Hat)

Comment 4 Vladis Dronov 2018-12-13 16:02:58 UTC
Notes on the flaw's impact:

> is this guest triggerable (guest -> host) or host -> host?

a vm guest can trigger an oob-write on a host but requires a large network packet to be received for it.

> what is overwritten?

kmalloc-8 slab on a vm host.

> what's the minimum and maximum size of the out-of-bound write?

from 8 bytes (sizeof vring_used_elem) to 504 bytes (63 * sizeof(vring_used_elem))

> does the attacker control the data that are written and if yes, to which degree?

attacker can not directly control the data.

Comment 6 Vladis Dronov 2019-01-25 15:47:53 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1669545]


Note You need to log in before you can comment on or make changes to this bug.