2069736 – (CVE-2022-2153) CVE-2022-2153 kernel: KVM: NULL pointer dereference in kvm_irq_delivery_to_apic_fast()

Bug 2069736 (CVE-2022-2153) - CVE-2022-2153 kernel: KVM: NULL pointer dereference in kvm_irq_delivery_to_apic_fast()

Summary: CVE-2022-2153 kernel: KVM: NULL pointer dereference in kvm_irq_delivery_to_ap...

Keywords:
Status:	NEW
Alias:	CVE-2022-2153
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2067251 2072549 2074832 2074835 2099734 2099735 2099736 2099737 2099738
Blocks:	2069747
TreeView+	depends on / blocked

Reported:	2022-03-29 15:11 UTC by Pedro Sampaio
Modified:	2023-09-19 14:13 UTC (History)
CC List:	45 users (show)
Fixed In Version:	kernel 5.18
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Linux kernel’s KVM when attempting to set a SynIC IRQ. This issue makes it possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2022-03-29 15:11:42 UTC

When KVM initialize a vCPU without create apic, the value of vcpu->arch.apic is NULL, then if we enter guest and let KVM call kvm_hv_process_stimers() in arch/x86/kvm/x86.c:9947, which doesn't check apic in the kernel. Process stimer will use apic finally so it will cause a null pointer dereference. This flaw allows a malicious user in a Local DOS condition.

References:

https://patchew.org/linux/20220325132140.25650-1-vkuznets@redhat.com/

Comment 3 Mauro Matteo Cascella 2022-06-14 09:52:32 UTC

Upstream commits:

- https://github.com/torvalds/linux/commit/7ec37d1cbe17d8189d9562178d8b29167fe1c31a
- https://github.com/torvalds/linux/commit/00b5f37189d24ac3ed46cb7f11742094778c46ce
- https://github.com/torvalds/linux/commit/b1e34d325397a33d97d845e312d7cf2a8b646b44

Comment 5 Mauro Matteo Cascella 2022-06-21 15:23:03 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2099734]

Comment 8 Justin M. Forbes 2022-06-21 15:49:19 UTC

This was fixed for Fedora with the 5.16.19 stable kernel updates.

Comment 13 Mauro Matteo Cascella 2023-02-21 17:12:17 UTC

This issue was fixed upstream in version 5.18. The kernel packages as shipped in following Red Hat products were previously updated to a version that contains the fix via the following errata:

kernel in Red Hat Enterprise Linux 8
https://access.redhat.com/errata/RHSA-2022:7683

kernel-rt in Red Hat Enterprise Linux 8
https://access.redhat.com/errata/RHSA-2022:7444

kernel in Red Hat Enterprise Linux 9
https://access.redhat.com/errata/RHSA-2022:8267

kernel-rt in Red Hat Enterprise Linux 9
https://access.redhat.com/errata/RHSA-2022:7933

Note You need to log in before you can comment on or make changes to this bug.

acaringi
adscvr
airlied
alciregi
bhu
chwhite
crwood
ddepaula
dvlasenk
fpacheco
hdegoede
hkrzesin
hpa
jarod
jarodwilson
jburrell
jfaracco
jferlan
jforbes
jglisse
jlelli
joe.lawrence
jonathan
josef
jshortt
jstancek
jwboyer
jwyatt
kcarcia
kernel-maint
kernel-mgr
lgoncalv
linville
lzampier
masami256
mchehab
nmurray
ptalbert
qzhao
rvrbovsk
scweaver
steved
vkumar
walters
williams