ASA-2019-00032 – Linux: Out-of-bounds write in get_rx_bufs() function in drivers/vhost/net.c

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00032

Identifier(s)

ASA-2019-00032, CVE-2018-16880

Title

Out-of-bounds write in get_rx_bufs() function in drivers/vhost/net.c

Vendor(s)

Linux foundation

Product(s)

Linux

Affected version(s)

Linux releases with the following commit:

vhost_net: batch used ring update in rx
https://github.com/torvalds/linux/commit/e2b3b35eb9896f26c98b9a2c047d9111638059a2

Fixed version(s)

Unknown

Proof of concept

Unknown

Description

A flaw was found in the Linux kernel’s handle_rx() function in the [vhost_net] driver. A malicious virtual guest, under specific conditions, can trigger an out-of-bounds write in a kmalloc-8 slab on a virtual host which may lead to a kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.

Technical details

Unknown

Credits

Jason Wang (Red Hat)

Reference(s)

Bug 1656472 (CVE-2018-16880) – CVE-2018-16880 kernel: Out of bounds write in get_rx_bufs() function in drivers/vhost/net.c
https://bugzilla.redhat.com/show_bug.cgi?id=1656472

CVE-2018-16880 Linux kernel: oob-write in drivers/vhost/net.c:get_rx_bufs()
https://seclists.org/oss-sec/2019/q1/94

vhost_net: batch used ring update in rx
https://github.com/torvalds/linux/commit/e2b3b35eb9896f26c98b9a2c047d9111638059a2

CVE-2018-16880
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16880

CVE-2018-16880
https://nvd.nist.gov/vuln/detail/CVE-2018-16880

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 1, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.