Changes between Initial Version and Version 1 of Ticket #4528, comment 1


Ignore:
Timestamp:
09/21/2019 02:42:48 PM (2 years ago)
Author:
Bruce Dubbs

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #4528, comment 1

    initial v1  
    44Vendor:
    55Versions affected:
    6 It looks like this vulnerability was introduced in this commit https://github.com/torvalds/linux/commit/3a4d5c94e959359ece6d6b55045c3f046677f55c,
     6It looks like this vulnerability was introduced in this commit
     7https://github.com/torvalds/linux/commit/3a4d5c94e959359ece6d6b55045c3f046677f55c,
    78from kernel version 2.6.34 and fixed in latest stable kernel 5.3.
    8 
     9}}}
    910Tencent Blade Team discovered a QEMU-KVM Guest to Host Kernel Escape Vulnerability which is in vhost/vhost_net kernel module.
    1011
     
    2223
    2324In get_indirect, there is the log buffer overflow bug can be triggered as comments below:
    24 
     25{{{
    2526static int get_indirect(struct vhost_virtqueue *vq,
    2627                        struct iovec iov[], unsigned int iov_size,
     
    120121        return 0;
    121122}
    122 
     123}}}
    123124Function vhost_get_vq_desc also has above while loop which may cause log buffer overflow.
    124 
     125{{{
    125126Mitigation:
    126127update to latest stable kernel 5.3 or apply the upstream patch.
     
    128129https://github.com/torvalds/linux/commit/060423bfdee3f8bc6e2c1bac97de24d5415e2bc4
    129130https://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost.git/commit/?h=for_linus&id=060423bfdee3f8bc6e2c1bac97de24d5415e2bc4
    130 
     131}}}
    131132About the Poof of concept:
    132133We(Tencent Blade Team) plan to publish simple reproduce steps of this vulnerability about a week later.
     
    137138---
    138139Cradmin of Tencent Blade Team
    139 }}}
     140