CVE-2019-14835 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Severity

78%

Complexity

18%

Confidentiality

98%

A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.

A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.

CVSS 3.1 Base Score 7.8. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 7.2. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C).

Demo Examples

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-120

The following code asks the user to enter their last name and then attempts to store the value entered in the last_name array.


               
scanf ("%s", last_name);

The problem with the code above is that it does not restrict or limit the size of the name entered by the user. If the user enters "Very_very_long_last_name" which is 24 characters long, then a buffer overflow will occur since the array can only hold 20 characters total.

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-120

The following code attempts to create a local copy of a buffer to perform some manipulations to the data.


               
}
...

However, the programmer does not ensure that the size of the data pointed to by string will fit in the local buffer and blindly copies the data with the potentially dangerous strcpy() function. This may result in a buffer overflow condition if an attacker can influence the contents of the string parameter.

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-120

The excerpt below calls the gets() function in C, which is inherently unsafe.


               
}
...

However, the programmer uses the function gets() which is inherently unsafe because it blindly copies all input from STDIN to the buffer without restricting how much is copied. This allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition.

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-120

In the following example, a server accepts connections from a client and processes the client request. After accepting a client connection, the program will obtain client information using the gethostbyaddr method, copy the hostname of the client that connected to a local variable and output the hostname of the client to a log file.


               
...
close(serversocket);
}
close(clientsocket);

However, the hostname of the client that connected may be longer than the allocated size for the local hostname variable. This will result in a buffer overflow when copying the client hostname to the local variable using the strcpy method.

Overview

First reported 5 years ago

2019-09-17 16:15:00

Last updated 5 years ago

2019-09-19 04:15:00

Affected Software

Linux Kernel

Canonical Ubuntu Linux 12.04 ESM (Extended Security Maintenance)

12.04

Canonical Ubuntu Linux 14.04 ESM Edition

14.04

Red Hat Enterprise Linux 6.0

6.0

Red Hat Enterprise Linux (RHEL) 7.0 (7)

7.0

Red Hat Enterprise Linux 8.0

8.0

Red Hat Virtualization 4.0

4.0

References

openSUSE-SU-2019:2173

openSUSE-SU-2019:2181

http://packetstormsecurity.com/files/154572/Kernel-Live-Patch-Security-Notice-LSN-0056-1.html

http://packetstormsecurity.com/files/154951/Kernel-Live-Patch-Security-Notice-LSN-0058-1.html

http://packetstormsecurity.com/files/155212/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200115-01-qemu-en

[oss-security] 20190924 Re: CVE-2019-14835: QEMU-KVM Guest to Host Kernel Escape Vulnerability: vhost/vhost_net kernel buffer overflow

[oss-security] 20191003 Re: CVE-2019-14835: QEMU-KVM Guest to Host Kernel Escape Vulnerability: vhost/vhost_net kernel buffer overflow

[oss-security] 20191009 Re: CVE-2019-14835: QEMU-KVM Guest to Host Kernel Escape Vulnerability: vhost/vhost_net kernel buffer overflow

[oss-security] 20191009 Re: CVE-2019-14835: QEMU-KVM Guest to Host Kernel Escape Vulnerability: vhost/vhost_net kernel buffer overflow

RHBA-2019:2824

RHSA-2019:2827

RHSA-2019:2828

RHSA-2019:2829

RHSA-2019:2830

RHSA-2019:2854

RHSA-2019:2862

RHSA-2019:2863

RHSA-2019:2864

RHSA-2019:2865

RHSA-2019:2866

RHSA-2019:2867

RHSA-2019:2869

RHSA-2019:2889

RHSA-2019:2899

RHSA-2019:2900

RHSA-2019:2901

RHSA-2019:2924

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14835

Issue Tracking, Patch, Third Party Advisory

[debian-lts-announce] 20190925 [SECURITY] [DLA 1930-1] linux security update

[debian-lts-announce] 20191001 [SECURITY] [DLA 1940-1] linux-4.9 security update

FEDORA-2019-e3010166bd

FEDORA-2019-a570a92d5a

20191108 [slackware-security] Slackware 14.2 kernel (SSA:2019-311-01)

20190925 [SECURITY] [DSA 4531-1] linux security update

https://security.netapp.com/advisory/ntap-20191031-0005/

USN-4135-1

USN-4135-2

Third Party Advisory

DSA-4531

https://www.openwall.com/lists/oss-security/2019/09/17/1

Exploit, Mailing List, Patch, Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.