Bug 1750727 (CVE-2019-14835) - CVE-2019-14835 kernel: vhost-net: guest to host kernel escape during migration
Summary: CVE-2019-14835 kernel: vhost-net: guest to host kernel escape during migration
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14835
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1750869 1750870 1750871 1750872 1750873 1750874 1750875 1750876 1750877 1750878 1750879 1750880 1750881 1750882 1750883 1750884 1750885 1750886 1750887 1750888 1750892 1751435 1751436 1751437 1752525 1752526 1752794
Blocks: 1750783 1751561 1751562 1751563 1751564 1751565 1751566
TreeView+ depends on / blocked
 
Reported: 2019-09-10 11:27 UTC by msiddiqu
Modified: 2021-02-16 21:23 UTC (History)
65 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow flaw was found in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host. In the worst case (and likely most common virtualization) scenario this flaw affects KVM/qemu hypervisor enabled hosts running Linux guests.
Clone Of:
Environment:
Last Closed: 2019-09-20 12:45:40 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2884 0 None None None 2019-09-23 20:19:36 UTC
Red Hat Product Errata RHBA-2019:2887 0 None None None 2019-09-23 20:44:42 UTC
Red Hat Product Errata RHBA-2019:2888 0 None None None 2019-09-24 07:34:05 UTC
Red Hat Product Errata RHBA-2019:2908 0 None None None 2019-09-26 09:50:57 UTC
Red Hat Product Errata RHBA-2019:2915 0 None None None 2019-09-26 19:39:10 UTC
Red Hat Product Errata RHBA-2019:2919 0 None None None 2019-09-27 09:22:39 UTC
Red Hat Product Errata RHBA-2019:2920 0 None None None 2019-09-27 09:22:47 UTC
Red Hat Product Errata RHBA-2019:2926 0 None None None 2019-09-30 10:34:40 UTC
Red Hat Product Errata RHSA-2019:2827 0 None None None 2019-09-20 06:30:17 UTC
Red Hat Product Errata RHSA-2019:2828 0 None None None 2019-09-20 06:26:44 UTC
Red Hat Product Errata RHSA-2019:2829 0 None None None 2019-09-20 07:45:04 UTC
Red Hat Product Errata RHSA-2019:2830 0 None None None 2019-09-20 06:45:43 UTC
Red Hat Product Errata RHSA-2019:2854 0 None None None 2019-09-21 17:22:27 UTC
Red Hat Product Errata RHSA-2019:2862 0 None None None 2019-09-23 09:14:08 UTC
Red Hat Product Errata RHSA-2019:2863 0 None None None 2019-09-23 09:25:26 UTC
Red Hat Product Errata RHSA-2019:2864 0 None None None 2019-09-23 11:41:14 UTC
Red Hat Product Errata RHSA-2019:2865 0 None None None 2019-09-23 11:10:20 UTC
Red Hat Product Errata RHSA-2019:2866 0 None None None 2019-09-23 11:29:41 UTC
Red Hat Product Errata RHSA-2019:2867 0 None None None 2019-09-23 12:38:16 UTC
Red Hat Product Errata RHSA-2019:2869 0 None None None 2019-09-23 12:32:34 UTC
Red Hat Product Errata RHSA-2019:2889 0 None None None 2019-09-24 12:45:33 UTC
Red Hat Product Errata RHSA-2019:2899 0 None None None 2019-09-25 12:17:29 UTC
Red Hat Product Errata RHSA-2019:2900 0 None None None 2019-09-25 12:25:09 UTC
Red Hat Product Errata RHSA-2019:2901 0 None None None 2019-09-25 12:12:13 UTC
Red Hat Product Errata RHSA-2019:2924 0 None None None 2019-09-27 13:07:42 UTC

Description msiddiqu 2019-09-10 11:27:20 UTC
A buffer overflow flaw was found in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.

Comment 1 msiddiqu 2019-09-10 11:27:26 UTC
Acknowledgments:

Name: Peter Pi (Tencent Blade Team)

Comment 17 Petr Matousek 2019-09-17 08:57:14 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1752794]

Comment 24 Petr Matousek 2019-09-19 07:18:34 UTC
Statement:

Red Hat Product Security is aware of this issue. Updates will be released as they become available. For additional information, please refer to the Red Hat Knowledgebase article: https://access.redhat.com/security/vulnerabilities/kernel-vhost

Comment 25 Petr Matousek 2019-09-19 07:18:38 UTC
Mitigation:

For mitigation related information, please refer to the Red Hat Knowledgebase article: https://access.redhat.com/security/vulnerabilities/kernel-vhost

Comment 28 errata-xmlrpc 2019-09-20 06:26:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2828 https://access.redhat.com/errata/RHSA-2019:2828

Comment 29 errata-xmlrpc 2019-09-20 06:30:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2827 https://access.redhat.com/errata/RHSA-2019:2827

Comment 30 errata-xmlrpc 2019-09-20 06:45:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2830 https://access.redhat.com/errata/RHSA-2019:2830

Comment 31 errata-xmlrpc 2019-09-20 07:44:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2829 https://access.redhat.com/errata/RHSA-2019:2829

Comment 32 Product Security DevOps Team 2019-09-20 12:45:40 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14835

Comment 33 errata-xmlrpc 2019-09-21 17:22:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2854 https://access.redhat.com/errata/RHSA-2019:2854

Comment 36 errata-xmlrpc 2019-09-23 09:14:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2862 https://access.redhat.com/errata/RHSA-2019:2862

Comment 37 errata-xmlrpc 2019-09-23 09:25:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:2863 https://access.redhat.com/errata/RHSA-2019:2863

Comment 38 errata-xmlrpc 2019-09-23 11:10:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2019:2865 https://access.redhat.com/errata/RHSA-2019:2865

Comment 39 errata-xmlrpc 2019-09-23 11:29:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:2866 https://access.redhat.com/errata/RHSA-2019:2866

Comment 40 errata-xmlrpc 2019-09-23 11:41:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2019:2864 https://access.redhat.com/errata/RHSA-2019:2864

Comment 41 errata-xmlrpc 2019-09-23 12:32:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support

Via RHSA-2019:2869 https://access.redhat.com/errata/RHSA-2019:2869

Comment 42 errata-xmlrpc 2019-09-23 12:38:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2019:2867 https://access.redhat.com/errata/RHSA-2019:2867

Comment 43 errata-xmlrpc 2019-09-24 12:45:29 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:2889 https://access.redhat.com/errata/RHSA-2019:2889

Comment 45 errata-xmlrpc 2019-09-25 12:12:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2019:2901 https://access.redhat.com/errata/RHSA-2019:2901

Comment 46 errata-xmlrpc 2019-09-25 12:17:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Telco Extended Update Support
  Red Hat Enterprise Linux 7.2 Advanced Update Support
  Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions

Via RHSA-2019:2899 https://access.redhat.com/errata/RHSA-2019:2899

Comment 47 errata-xmlrpc 2019-09-25 12:25:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Telco Extended Update Support
  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions

Via RHSA-2019:2900 https://access.redhat.com/errata/RHSA-2019:2900

Comment 48 errata-xmlrpc 2019-09-27 13:07:38 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4.2 for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:2924 https://access.redhat.com/errata/RHSA-2019:2924


Note You need to log in before you can comment on or make changes to this bug.