QEMU-KVM vhost/vhost_net Guest to Host Kernel Escape Vulnerability

Sep 17, 2019 10:57:42 PM / by Mikhail Pobirsky

QEMU

The KernelCare team are following developments for a recently-reported vulnerability involving QEMU-KVM guests running Linux kernels.

The vulnerability was reported by the Blade Team at Tencent, and has been given the registration CVE-2019-14835. It works as follows.

QEMU-KVM virtual instances using the vhost/vhost_net network back end use a kernel buffer to maintain a log of dirty pages. The bounds of this log are not checked by the kernel and can be made to overflow by forcing the virtual machine to migrate.

This can happen when the VM is cloud-hosted and suffers a temporary resource surge or memory leak. This in turn can trigger the cloud hosting vendor to migrate the instance, revealing the contents of the guest's dirty pages log to the host.

This vulnerability is in all Linux kernels, from 2.6.34 to the most recent. The only known mitigation is to upgrade to the latest 5.3 kernel.

KernelCare are tracking this report and are working on mitigating patches for all supported platforms. They’ll be available today.

Patches Released to Production:

  • Debian 10
  • Debian 8
  • Debian 8-Backports
  • Debian 9
  • OEL 7
  • RHEL 7
  • CentOS 7
  • CentOS 7-Plus
  • PVE 5
  • Ubuntu Bionic
  • Ubuntu Bionic HVE
  • Ubuntu Trusty
  • Ubuntu Trusty LTS Xenial
  • Ubuntu Xenial
  • Ubuntu Xenial LTS Bionic

    Patches Released to the test repository:
  • CentOS 6
  • CentOS 6-Plus
  • OEL 6
  • OpenVZ
  • RHEL 6
  • SL 6

 

Topics: KernelCare, KernelCare Blog, Vulnerability fix, CVE

Mikhail Pobirsky

Written by Mikhail Pobirsky

KernelCare Product Manager