Bug 2031194 (CVE-2021-4095)

Summary: CVE-2021-4095 kernel: KVM: NULL pointer dereference in kvm_dirty_ring_get() in virt/kvm/dirty_ring.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, blc, brdeoliv, bskeggs, carnil, chwhite, crwood, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, jarod, jarodwilson, jburrell, jeremy, jfaracco, jforbes, jglisse, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lzampier, masami256, mchehab, mlangsdo, nmurray, ptalbert, qzhao, rvrbovsk, scweaver, steved, vkumar, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.17 Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference was found in the Linux kernel's KVM when dirty ring logging is enabled without an active vCPU context. An unprivileged local attacker on the host may use this flaw to cause a kernel oops condition and thus a denial of service by issuing a KVM_XEN_HVM_SET_ATTR ioctl.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-16 15:15:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2031195    
Bug Blocks: 2026458, 2031196    

Description Guilherme de Almeida Suckevicz 2021-12-10 18:20:34 UTC 
A NULL pointer dereference in kvm_dirty_ring_get() in virt/kvm/dirty_ring.c via a KVM KVM_XEN_HVM_SET_ATTR ioctl when there is no vCPU created.

References:
https://lore.kernel.org/kvm/CAFcO6XOmoS7EacN_n6v4Txk7xL7iqRa2gABg3F7E3Naf5uG94g@mail.gmail.com/
https://patchwork.kernel.org/project/kvm/patch/20211121125451.9489-12-dwmw2@infradead.org/
Comment 1 Guilherme de Almeida Suckevicz 2021-12-10 18:21:26 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2031195]
Comment 4 Mauro Matteo Cascella 2022-01-17 11:31:24 UTC 
The patch for this issue is now available upstream:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=55749769fe608fa3f4a075e42e89d237c8e37637