Описание
In the Linux kernel, the following vulnerability has been resolved: vhost: vringh: Modify the return value check The return value of copy_from_iter and copy_to_iter can't be negative, check whether the copied lengths are equal.
Отчет
vringh incorrectly treated copy_from_iter() as potentially negative and only checked ret < 0. Since copy_from_iter() returns the number of bytes copied (non-negative), short/partial copies were falsely accepted, risking use of incomplete data and subsequent corruption/instability. The fix checks size != translated and returns -EFAULT on mismatch, properly handling faults/short copies in the vhost IOTLB translation path. Exploitation requires local access to the vhost/virtio datapath — i.e. a process that can open and interact with /dev/vhost-* or /dev/kvm. On typical systems this means the attacker must be root or a member of the kvm group. If vhost or kvm not being used, then ordinary unprivileged users do not have access by default.
Меры по смягчению последствий
To mitigate this issue, prevent module vringh from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | kernel | Fix deferred | ||
| Red Hat Enterprise Linux 6 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 9 | kernel | Fix deferred | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Fix deferred |
Показывать по
Дополнительная информация
Статус:
5.5 Medium
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: vhost: vringh: Modify the return value check The return value of copy_from_iter and copy_to_iter can't be negative, check whether the copied lengths are equal.
In the Linux kernel, the following vulnerability has been resolved: vhost: vringh: Modify the return value check The return value of copy_from_iter and copy_to_iter can't be negative, check whether the copied lengths are equal.
In the Linux kernel, the following vulnerability has been resolved: v ...
In the Linux kernel, the following vulnerability has been resolved: vhost: vringh: Modify the return value check The return value of copy_from_iter and copy_to_iter can't be negative, check whether the copied lengths are equal.
5.5 Medium
CVSS3