CVE-2019-14835: kernel: vhost-net: guest to host kernel escape during migration

Bug #1847817 reported by Bruce Jones on 2019-10-11
276
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Medium
Robin Lu

Bug Description

Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C) (V2 legend) [1]
Description : A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.

From Victor Rodriguez:
This CVE does not match the StarlingX policy since the Attack Vector (AV)* = Local instead of Network. However I might recommend to apply the patch since it is already in upstream [3] and fix approved by RHEL[2]

[1] https://nvd.nist.gov/vuln/detail/CVE-2019-14835
[2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14835
[3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=060423bfdee3f8bc6e2c1bac97de24d5415e2bc4

CVE References

Bruce Jones (brucej) on 2019-10-11
tags: added: stx.security
Ghada Khalil (gkhalil) wrote :

This doesn't meet the fix criteria for starlingX. Need to discuss in the security meeting if there is something special for this CVE that would make us deal with it as an exception.

Ghada Khalil (gkhalil) on 2019-10-18
description: updated
Ghada Khalil (gkhalil) on 2019-10-21
description: updated
Ghada Khalil (gkhalil) on 2019-10-21
summary: - CVE-2019-14835
+ CVE-2019-14835: kernel: vhost-net: guest to host kernel escape during
+ migration
Bruce Jones (brucej) on 2019-10-21
Changed in starlingx:
importance: Undecided → High
tags: added: stx.3.0
tags: removed: stx.3.0
Changed in starlingx:
importance: High → Medium
Ghada Khalil (gkhalil) on 2019-10-21
Changed in starlingx:
status: New → Triaged
tags: added: stx.3.0
Cindy Xie (xxie1) on 2019-10-22
Changed in starlingx:
assignee: nobody → Cindy Xie (xxie1)
Lin Shuicheng (shuicheng) wrote :

The same as another kernel issue, there is no new srpm available for CentOS 7.6
I prefer to cherry-pick upstream patch to current srpm.

Patch link provided by CVE:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=060423bfdee3f8bc6e2c1bac97de24d5415e2bc4

Issue tracked in RedHat's bug system:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14835

Lin Shuicheng (shuicheng) wrote :

This CVE is fixed in below srpm for CentOS 7.7
std kernel: kernel-3.10.0-1062.1.2.el7.src.rpm
https://access.redhat.com/errata/RHSA-2019:2829
rt kernel: kernel-rt-3.10.0-1062.1.2.rt56.1025.el7.src.rpm
https://access.redhat.com/errata/RHSA-2019:2830

We will upgrade kernel to this version to fix the CVE issue.

Sounds like a good plan, let me know if you need help testing the kernel

Robin Lu (robinlu) on 2019-11-18
Changed in starlingx:
assignee: Cindy Xie (xxie1) → Robin Lu (robinlu)
Ghada Khalil (gkhalil) on 2019-11-22
information type: Private Security → Public Security
Changed in starlingx:
status: Triaged → In Progress
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers