Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 694600 (CVE-2019-14835) - QEMU-KVM Guest to Host Kernel Escape Vulnerability: vhost/vhost_net kernel buffer overflow
Summary: QEMU-KVM Guest to Host Kernel Escape Vulnerability: vhost/vhost_net kernel bu...
Status: CONFIRMED
Alias: CVE-2019-14835
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Kernel Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-09-17 08:44 UTC by Agostino Sarubbo
Modified: 2020-04-18 19:19 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2019-09-17 08:44:34 UTC
Severity: Important
Vendor:
Versions affected: 
It looks like this vulnerability was introduced in this commit https://github.com/torvalds/linux/commit/3a4d5c94e959359ece6d6b55045c3f046677f55c,
from kernel version 2.6.34 and fixed in latest stable kernel 5.3.

Tencent Blade Team discovered a QEMU-KVM Guest to Host Kernel Escape Vulnerability which is in vhost/vhost_net kernel module.

Description:

The vulnerability is in vhost/vhost_net kernel module, vhost/vhost_net is a virtio network backend.

The bug happens in the live migrate flow, when migrating, QEMU needs to know the dirty pages, vhost/vhost_net uses a kernel buffer to record the dirty log, but it doesn't check the bounds of the log buffer.
So we can forge the desc table in guest, wait for migrate or doing something (like increase host machine workload or combine a mem leak bug, depends on vendor’s migrate schedule policy) to trigger cloud vendor to migrate this guest. 
When the guest migrating, it will make the host kernel log buffer overflow.

The vulnerable call path is :  handle_rx(drivers/vhost/net.c) -> get_rx_bufs -> vhost_get_vq_desc -> get_indirect(drivers/vhost/vhost.c)

In VM guest, attack can make a indirect desc table in VM driver to let vhost to enter above call path when live migrates the VM, finally to enter into function get_indirect.

In get_indirect, there is the log buffer overflow bug can be triggered as comments below:
[snip]
Mitigation:
update to latest stable kernel 5.3 or apply the upstream patch.
upstream patch: 
https://github.com/torvalds/linux/commit/060423bfdee3f8bc6e2c1bac97de24d5415e2bc4
https://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost.git/commit/?h=for_linus&id=060423bfdee3f8bc6e2c1bac97de24d5415e2bc4

About the Poof of concept:
We(Tencent Blade Team) plan to publish simple reproduce steps of this vulnerability about a week later.

Credit:
The vulnerability was discovered by Peter Pi of Tencent Blade Team
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-10-10 22:17:20 UTC
Fix is present in

>=sys-kernel/gentoo-sources-4.19.73
>=sys-kernel/gentoo-sources-4.14.144
>=sys-kernel/gentoo-sources-4.9.193
>=sys-kernel/gentoo-sources-4.4.193
Comment 2 Matthias Maier gentoo-dev 2020-04-18 19:19:42 UTC
@security: *ping*