Описание
In the Linux kernel, the following vulnerability has been resolved:
vhost: vringh: Fix copy_to_iter return value check
The return value of copy_to_iter can't be negative, check whether the
copied length is equal to the requested length instead of checking for
negative values.
A flaw was found in the Linux kernel's vhost/vringh component. This vulnerability arises from an improper check of the copy_to_iter() function's return value, which could lead to the system processing partially copied data. A local attacker with access to the vhost/virtio path (such as root or a user in the kvm/vhost group) could exploit this to cause data corruption or trigger a kernel fault, leading to a denial of service.
Отчет
The fix corrects an improper check of copy_to_iter() in vringh.c. Since copy_to_iter() never returns a negative value, the old code failed to detect short copies. And the new code treats size != translated as an error (-EFAULT). Without the fix, vringh could proceed with partially copied data, risking data corruption and possible kernel faults. Exploitation requires local access to the vhost/virtio path (typically root or membership in kvm/vhost), so the impact is limited to local integrity/availability issues.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | kernel | Affected | ||
| Red Hat Enterprise Linux 6 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 9 | kernel | Affected | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Affected |
Показывать по
Дополнительная информация
Статус:
4.7 Medium
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: vhost: vringh: Fix copy_to_iter return value check The return value of copy_to_iter can't be negative, check whether the copied length is equal to the requested length instead of checking for negative values.
In the Linux kernel, the following vulnerability has been resolved: vhost: vringh: Fix copy_to_iter return value check The return value of copy_to_iter can't be negative, check whether the copied length is equal to the requested length instead of checking for negative values.
In the Linux kernel, the following vulnerability has been resolved: v ...
In the Linux kernel, the following vulnerability has been resolved: vhost: vringh: Fix copy_to_iter return value check The return value of copy_to_iter can't be negative, check whether the copied length is equal to the requested length instead of checking for negative values.
4.7 Medium
CVSS3