A use after free issue was found in the way Linux kernel's KVM hypervisor processed posted interrupts, when nested(=1) virtualization is enabled. In nested_get_vmcs12_pages(), in case of an error while processing posted interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc' descriptor address. Which is latter used in pi_test_and_clear_on(). A guest user/process could use this flaw to crash the host kernel resulting in DoS OR potentially gain privileged access to a system. Upstream patch: --------------- -> https://marc.info/?l=kvm&m=154514994222809&w=2 Reference: ---------- -> https://www.openwall.com/lists/oss-security/2018/12/18/6
Acknowledgments: Name: Cfir Cohen (google.com)
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1660606]
References: https://lwn.net/Articles/775720/ https://lwn.net/Articles/775721/