A buffer overflow flaw was found in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.
Acknowledgments: Name: Peter Pi (Tencent Blade Team)
Upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=060423bfdee3f8bc6e2c1bac97de24d5415e2bc4
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1752794]
External References: https://access.redhat.com/security/vulnerabilities/kernel-vhost https://www.openwall.com/lists/oss-security/2019/09/17/1
Statement: Red Hat Product Security is aware of this issue. Updates will be released as they become available. For additional information, please refer to the Red Hat Knowledgebase article: https://access.redhat.com/security/vulnerabilities/kernel-vhost
Mitigation: For mitigation related information, please refer to the Red Hat Knowledgebase article: https://access.redhat.com/security/vulnerabilities/kernel-vhost
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2828 https://access.redhat.com/errata/RHSA-2019:2828
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2827 https://access.redhat.com/errata/RHSA-2019:2827
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2830 https://access.redhat.com/errata/RHSA-2019:2830
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2829 https://access.redhat.com/errata/RHSA-2019:2829
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14835
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2854 https://access.redhat.com/errata/RHSA-2019:2854
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2862 https://access.redhat.com/errata/RHSA-2019:2862
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:2863 https://access.redhat.com/errata/RHSA-2019:2863
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2019:2865 https://access.redhat.com/errata/RHSA-2019:2865
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2019:2866 https://access.redhat.com/errata/RHSA-2019:2866
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2019:2864 https://access.redhat.com/errata/RHSA-2019:2864
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.6 Advanced Update Support Via RHSA-2019:2869 https://access.redhat.com/errata/RHSA-2019:2869
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2019:2867 https://access.redhat.com/errata/RHSA-2019:2867
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2019:2889 https://access.redhat.com/errata/RHSA-2019:2889
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 Advanced Update Support Via RHSA-2019:2901 https://access.redhat.com/errata/RHSA-2019:2901
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Telco Extended Update Support Red Hat Enterprise Linux 7.2 Advanced Update Support Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions Via RHSA-2019:2899 https://access.redhat.com/errata/RHSA-2019:2899
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Telco Extended Update Support Red Hat Enterprise Linux 7.3 Advanced Update Support Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions Via RHSA-2019:2900 https://access.redhat.com/errata/RHSA-2019:2900
This issue has been addressed in the following products: Red Hat Virtualization 4.2 for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:2924 https://access.redhat.com/errata/RHSA-2019:2924