When KVM initialize a vCPU without create apic, the value of vcpu->arch.apic is NULL, then if we enter guest and let KVM call kvm_hv_process_stimers() in arch/x86/kvm/x86.c:9947, which doesn't check apic in the kernel. Process stimer will use apic finally so it will cause a null pointer dereference. This flaw allows a malicious user in a Local DOS condition. References: https://patchew.org/linux/20220325132140.25650-1-vkuznets@redhat.com/
Upstream commits: - https://github.com/torvalds/linux/commit/7ec37d1cbe17d8189d9562178d8b29167fe1c31a - https://github.com/torvalds/linux/commit/00b5f37189d24ac3ed46cb7f11742094778c46ce - https://github.com/torvalds/linux/commit/b1e34d325397a33d97d845e312d7cf2a8b646b44
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2099734]
This was fixed for Fedora with the 5.16.19 stable kernel updates.
This issue was fixed upstream in version 5.18. The kernel packages as shipped in following Red Hat products were previously updated to a version that contains the fix via the following errata: kernel in Red Hat Enterprise Linux 8 https://access.redhat.com/errata/RHSA-2022:7683 kernel-rt in Red Hat Enterprise Linux 8 https://access.redhat.com/errata/RHSA-2022:7444 kernel in Red Hat Enterprise Linux 9 https://access.redhat.com/errata/RHSA-2022:8267 kernel-rt in Red Hat Enterprise Linux 9 https://access.redhat.com/errata/RHSA-2022:7933