[dpdk-announce] Vhost-user CVE-2018-1059

Maxime Coquelin maxime.coquelin at redhat.com
Mon Apr 23 17:55:57 CEST 2018

Dear users,

All versions of DPDK's Vhost-user library are vulnerable to out-of-bound
accesses initiated by a buggy or malicious guest.

This vulnerability has been assigned CVE-2018-1059.

Users are strongly encouraged to upgrade to the latest releases:
- v16.11.6 (LTS): https://fast.dpdk.org/rel/dpdk-16.11.6.tar.xz
- v17.08.2: https://fast.dpdk.org/rel/dpdk-17.08.2.tar.xz
- v17.11.2 (LTS): https://fast.dpdk.org/rel/dpdk-17.11.2.tar.xz
- v18.02.1: https://fast.dpdk.org/rel/dpdk-18.02.1.tar.xz

Starting DPDK v17.11, rte_vhost_gpa_to_vva() API was introduced for
external Vhost backends to be able to translate guest's physical
addresses to Vhost process's virtual addresses.
This API is now marked as deprecated, and users must replace its use
with the new rte_vhost_va_from_guest_pa() API. This new API takes an
extra length parameter that must be checked properly.

Patches fixing this vulnerability will soon be posted to the dev
mailing-list for upstream master, and to the stable mailing-list for
stable branches.

Kind regards,

More information about the announce mailing list