Bug 1200788 - (CVE-2022-2153) VUL-0: CVE-2022-2153: kernel-source-rt,kernel-source,kernel-source-azure: KVM: NULL pointer dereference in kvm_irq_delivery_to_apic_fast()
(CVE-2022-2153)
VUL-0: CVE-2022-2153: kernel-source-rt,kernel-source,kernel-source-azure: KVM...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Dario Faggioli
Security Team bot
https://smash.suse.de/issue/335226/
CVSSv3.1:SUSE:CVE-2022-2153:6.5:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-06-22 07:45 UTC by Carlos López
Modified: 2022-11-29 17:35 UTC (History)
9 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-06-22 07:45:59 UTC
rh#2069736

When KVM initialize a vCPU without create apic, the value of vcpu->arch.apic is NULL, then if we enter guest and let KVM call kvm_hv_process_stimers() in arch/x86/kvm/x86.c:9947, which doesn't check apic in the kernel. Process stimer will use apic finally so it will cause a null pointer dereference. This flaw allows a malicious user in a Local DOS condition.

References:

https://patchew.org/linux/20220325132140.25650-1-vkuznets@redhat.com/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2069736
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2153
Comment 1 Carlos López 2022-06-22 07:56:41 UTC
On cve/linux-4.4 and older I do not see any path that could lead to calling kvm_irq_delivery_to_apic() with both src = NULL and irq->shorthand = APIC_DEST_SELF, plus the code addressed in patches 1 and 3 does not exist (as far as I can tell, KVM does not handle any synic logic). Tracking those branches as not affected.

cve/linux-4.12, cve/linux-5.3 and SLE15-SP4 are affected. stable and master already got the fixes.

Upstream commits:
- https://github.com/torvalds/linux/commit/7ec37d1cbe17d8189d9562178d8b29167fe1c31a
- https://github.com/torvalds/linux/commit/00b5f37189d24ac3ed46cb7f11742094778c46ce
- https://github.com/torvalds/linux/commit/b1e34d325397a33d97d845e312d7cf2a8b646b44
Comment 2 Petr Mladek 2022-06-22 14:00:09 UTC
Bruce, this seems to be in your area.
Comment 6 Oscar Salvador 2022-09-27 03:50:13 UTC
A gentle ping from Kernel Security Sentinel: https://confluence.suse.com/display/KSS/Kernel+Security+Sentinel

This security bug has been ignored for weeks.  Could you guys give an update (either fix or reassign-back)?  Thanks.
Comment 7 Robert Frohl 2022-10-11 06:46:37 UTC
still outstanding for:

- cve/linux-4.12
- cve/linux-5.3
- SLE15-SP4

@Claudio: Is there any progress that can be shared ?
Comment 8 Antoine Ginies 2022-10-11 10:30:55 UTC
Assigning Dario to it.
Comment 9 Dario Faggioli 2022-10-13 09:16:37 UTC
(In reply to Robert Frohl from comment #7)
> still outstanding for:
> 
> - cve/linux-4.12
> - cve/linux-5.3
> - SLE15-SP4
> 
Ok, so, for 15-SP4, the patches were in already, via git-fixes, so I'm only updating the metadata.

For the cve/ branches, I'm almost done with them, and I had to add the following commit, as a dependency:

commit dbcf3f96fa662bd5e1f93ea7c10a8dd0dce180ae
https://github.com/torvalds/linux/commit/dbcf3f96fa662bd5e1f93ea7c10a8dd0dce180ae
KVM: x86: hyper-v: disallow configuring SynIC timers with no SynIC
Comment 20 Swamp Workflow Management 2022-11-08 14:32:30 UTC
SUSE-SU-2022:3897-1: An update that solves 33 vulnerabilities, contains one feature and has 15 fixes is now available.

Category: security (important)
Bug References: 1032323,1065729,1152489,1196018,1198702,1200465,1200788,1201725,1202638,1202686,1202700,1203066,1203098,1203290,1203387,1203391,1203496,1203514,1203770,1203802,1204051,1204053,1204059,1204060,1204125,1204166,1204168,1204354,1204355,1204382,1204402,1204415,1204417,1204431,1204439,1204470,1204479,1204574,1204575,1204619,1204635,1204637,1204646,1204647,1204653,1204728,1204753,1204754
CVE References: CVE-2021-4037,CVE-2022-2153,CVE-2022-28748,CVE-2022-2964,CVE-2022-2978,CVE-2022-3169,CVE-2022-3176,CVE-2022-3424,CVE-2022-3521,CVE-2022-3524,CVE-2022-3535,CVE-2022-3542,CVE-2022-3545,CVE-2022-3565,CVE-2022-3577,CVE-2022-3586,CVE-2022-3594,CVE-2022-3621,CVE-2022-3623,CVE-2022-3625,CVE-2022-3629,CVE-2022-3640,CVE-2022-3646,CVE-2022-3649,CVE-2022-39189,CVE-2022-40768,CVE-2022-41674,CVE-2022-42703,CVE-2022-42719,CVE-2022-42720,CVE-2022-42721,CVE-2022-42722,CVE-2022-43750
JIRA References: PED-1931
Sources used:
openSUSE Leap 15.3 (src):    kernel-azure-5.3.18-150300.38.83.1, kernel-source-azure-5.3.18-150300.38.83.1, kernel-syms-azure-5.3.18-150300.38.83.1
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    kernel-azure-5.3.18-150300.38.83.1, kernel-source-azure-5.3.18-150300.38.83.1, kernel-syms-azure-5.3.18-150300.38.83.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2022-11-10 14:26:14 UTC
SUSE-SU-2022:3929-1: An update that solves 25 vulnerabilities, contains four features and has 13 fixes is now available.

Category: security (important)
Bug References: 1032323,1065729,1196018,1198702,1200465,1200788,1201725,1202686,1202700,1203066,1203098,1203387,1203391,1203496,1204053,1204166,1204168,1204354,1204355,1204382,1204402,1204415,1204417,1204431,1204439,1204470,1204479,1204574,1204575,1204619,1204635,1204637,1204646,1204647,1204653,1204728,1204753,1204754
CVE References: CVE-2021-4037,CVE-2022-2153,CVE-2022-28748,CVE-2022-2964,CVE-2022-2978,CVE-2022-3176,CVE-2022-3424,CVE-2022-3521,CVE-2022-3524,CVE-2022-3535,CVE-2022-3542,CVE-2022-3545,CVE-2022-3565,CVE-2022-3577,CVE-2022-3586,CVE-2022-3594,CVE-2022-3621,CVE-2022-3625,CVE-2022-3629,CVE-2022-3640,CVE-2022-3646,CVE-2022-3649,CVE-2022-39189,CVE-2022-42703,CVE-2022-43750
JIRA References: PED-1931,SLE-13847,SLE-24559,SLE-9246
Sources used:
openSUSE Leap Micro 5.2 (src):    kernel-rt-5.3.18-150300.109.1
SUSE Linux Enterprise Module for Realtime 15-SP3 (src):    kernel-rt-5.3.18-150300.109.1, kernel-rt_debug-5.3.18-150300.109.1, kernel-source-rt-5.3.18-150300.109.1, kernel-syms-rt-5.3.18-150300.109.1
SUSE Linux Enterprise Micro 5.2 (src):    kernel-rt-5.3.18-150300.109.1
SUSE Linux Enterprise Micro 5.1 (src):    kernel-rt-5.3.18-150300.109.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2022-11-10 14:30:59 UTC
SUSE-SU-2022:3930-1: An update that solves 16 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1065729,1198702,1200788,1202686,1202972,1203387,1204241,1204354,1204355,1204402,1204415,1204431,1204439,1204479,1204574,1204635,1204646,1204647,1204653,1204755,1204868
CVE References: CVE-2021-4037,CVE-2022-2153,CVE-2022-2964,CVE-2022-3521,CVE-2022-3524,CVE-2022-3542,CVE-2022-3545,CVE-2022-3565,CVE-2022-3586,CVE-2022-3594,CVE-2022-3621,CVE-2022-3628,CVE-2022-3629,CVE-2022-3646,CVE-2022-3649,CVE-2022-43750
JIRA References: 
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP5 (src):    kernel-rt-4.12.14-10.106.1, kernel-rt_debug-4.12.14-10.106.1, kernel-source-rt-4.12.14-10.106.1, kernel-syms-rt-4.12.14-10.106.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2022-11-15 20:23:36 UTC
SUSE-SU-2022:3998-1: An update that solves 37 vulnerabilities, contains 25 features and has 38 fixes is now available.

Category: security (important)
Bug References: 1065729,1071995,1152472,1152489,1188238,1194869,1196018,1196632,1199904,1200567,1200692,1200788,1202187,1202686,1202700,1202914,1203098,1203229,1203290,1203435,1203514,1203699,1203701,1203767,1203770,1203802,1203922,1203979,1204017,1204051,1204059,1204060,1204125,1204142,1204166,1204168,1204171,1204241,1204353,1204354,1204355,1204402,1204413,1204415,1204417,1204428,1204431,1204439,1204470,1204479,1204498,1204533,1204569,1204574,1204575,1204619,1204635,1204637,1204646,1204647,1204650,1204653,1204693,1204705,1204719,1204728,1204753,1204868,1204926,1204933,1204934,1204947,1204957,1204963,1204970
CVE References: CVE-2022-1882,CVE-2022-2153,CVE-2022-28748,CVE-2022-2964,CVE-2022-2978,CVE-2022-3169,CVE-2022-33981,CVE-2022-3424,CVE-2022-3435,CVE-2022-3521,CVE-2022-3524,CVE-2022-3526,CVE-2022-3535,CVE-2022-3542,CVE-2022-3545,CVE-2022-3565,CVE-2022-3577,CVE-2022-3586,CVE-2022-3594,CVE-2022-3619,CVE-2022-3621,CVE-2022-3625,CVE-2022-3628,CVE-2022-3629,CVE-2022-3633,CVE-2022-3640,CVE-2022-3646,CVE-2022-3649,CVE-2022-40476,CVE-2022-40768,CVE-2022-41674,CVE-2022-42703,CVE-2022-42719,CVE-2022-42720,CVE-2022-42721,CVE-2022-42722,CVE-2022-43750
JIRA References: PED-1082,PED-1084,PED-1085,PED-1096,PED-1211,PED-1649,PED-634,PED-676,PED-678,PED-679,PED-707,PED-732,PED-813,PED-817,PED-822,PED-825,PED-833,PED-842,PED-846,PED-850,PED-851,PED-856,PED-857,SLE-13847,SLE-9246
Sources used:
openSUSE Leap 15.4 (src):    kernel-azure-5.14.21-150400.14.21.2, kernel-source-azure-5.14.21-150400.14.21.1, kernel-syms-azure-5.14.21-150400.14.21.1
SUSE Linux Enterprise Module for Public Cloud 15-SP4 (src):    kernel-azure-5.14.21-150400.14.21.2, kernel-source-azure-5.14.21-150400.14.21.1, kernel-syms-azure-5.14.21-150400.14.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Swamp Workflow Management 2022-11-17 20:24:47 UTC
SUSE-SU-2022:4053-1: An update that solves 24 vulnerabilities, contains four features and has 16 fixes is now available.

Category: security (important)
Bug References: 1032323,1065729,1152489,1198702,1200465,1200788,1201725,1202638,1202686,1202700,1203066,1203098,1203387,1203391,1203496,1203802,1204053,1204166,1204168,1204354,1204355,1204382,1204402,1204415,1204417,1204431,1204439,1204470,1204479,1204574,1204575,1204619,1204635,1204637,1204646,1204647,1204653,1204728,1204753,1204754
CVE References: CVE-2021-4037,CVE-2022-2153,CVE-2022-2964,CVE-2022-2978,CVE-2022-3176,CVE-2022-3424,CVE-2022-3521,CVE-2022-3524,CVE-2022-3535,CVE-2022-3542,CVE-2022-3545,CVE-2022-3565,CVE-2022-3577,CVE-2022-3586,CVE-2022-3594,CVE-2022-3621,CVE-2022-3625,CVE-2022-3629,CVE-2022-3640,CVE-2022-3646,CVE-2022-3649,CVE-2022-39189,CVE-2022-42703,CVE-2022-43750
JIRA References: PED-1931,SLE-13847,SLE-24559,SLE-9246
Sources used:
openSUSE Leap Micro 5.2 (src):    kernel-default-5.3.18-150300.59.101.1, kernel-default-base-5.3.18-150300.59.101.1.150300.18.58.1
openSUSE Leap 15.4 (src):    dtb-aarch64-5.3.18-150300.59.101.1
openSUSE Leap 15.3 (src):    dtb-aarch64-5.3.18-150300.59.101.1, kernel-64kb-5.3.18-150300.59.101.1, kernel-debug-5.3.18-150300.59.101.1, kernel-default-5.3.18-150300.59.101.1, kernel-default-base-5.3.18-150300.59.101.1.150300.18.58.1, kernel-docs-5.3.18-150300.59.101.1, kernel-kvmsmall-5.3.18-150300.59.101.1, kernel-obs-build-5.3.18-150300.59.101.1, kernel-obs-qa-5.3.18-150300.59.101.1, kernel-preempt-5.3.18-150300.59.101.1, kernel-source-5.3.18-150300.59.101.1, kernel-syms-5.3.18-150300.59.101.1, kernel-zfcpdump-5.3.18-150300.59.101.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    kernel-default-5.3.18-150300.59.101.1, kernel-preempt-5.3.18-150300.59.101.1
SUSE Linux Enterprise Module for Live Patching 15-SP3 (src):    kernel-default-5.3.18-150300.59.101.1, kernel-livepatch-SLE15-SP3_Update_26-1-150300.7.3.1
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    kernel-default-5.3.18-150300.59.101.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    kernel-docs-5.3.18-150300.59.101.1, kernel-obs-build-5.3.18-150300.59.101.1, kernel-preempt-5.3.18-150300.59.101.1, kernel-source-5.3.18-150300.59.101.1, kernel-syms-5.3.18-150300.59.101.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    kernel-64kb-5.3.18-150300.59.101.1, kernel-default-5.3.18-150300.59.101.1, kernel-default-base-5.3.18-150300.59.101.1.150300.18.58.1, kernel-preempt-5.3.18-150300.59.101.1, kernel-source-5.3.18-150300.59.101.1, kernel-zfcpdump-5.3.18-150300.59.101.1
SUSE Linux Enterprise Micro 5.2 (src):    kernel-default-5.3.18-150300.59.101.1, kernel-default-base-5.3.18-150300.59.101.1.150300.18.58.1
SUSE Linux Enterprise Micro 5.1 (src):    kernel-default-5.3.18-150300.59.101.1, kernel-default-base-5.3.18-150300.59.101.1.150300.18.58.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    kernel-default-5.3.18-150300.59.101.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Swamp Workflow Management 2022-11-18 17:27:59 UTC
SUSE-SU-2022:4072-1: An update that solves 32 vulnerabilities, contains 25 features and has 36 fixes is now available.

Category: security (important)
Bug References: 1065729,1071995,1152472,1152489,1188238,1194869,1196018,1196632,1199904,1200567,1200692,1200788,1202187,1202686,1202700,1202914,1203098,1203229,1203290,1203435,1203514,1203699,1203767,1203802,1203922,1204017,1204142,1204166,1204168,1204171,1204241,1204353,1204354,1204355,1204402,1204413,1204415,1204417,1204428,1204431,1204439,1204470,1204479,1204498,1204533,1204569,1204574,1204575,1204619,1204635,1204637,1204646,1204647,1204650,1204653,1204693,1204705,1204719,1204728,1204753,1204868,1204926,1204933,1204934,1204947,1204957,1204963,1204970
CVE References: CVE-2022-1882,CVE-2022-2153,CVE-2022-28748,CVE-2022-2964,CVE-2022-2978,CVE-2022-3169,CVE-2022-33981,CVE-2022-3424,CVE-2022-3435,CVE-2022-3521,CVE-2022-3524,CVE-2022-3526,CVE-2022-3535,CVE-2022-3542,CVE-2022-3545,CVE-2022-3565,CVE-2022-3577,CVE-2022-3586,CVE-2022-3594,CVE-2022-3619,CVE-2022-3621,CVE-2022-3625,CVE-2022-3628,CVE-2022-3629,CVE-2022-3633,CVE-2022-3640,CVE-2022-3646,CVE-2022-3649,CVE-2022-40476,CVE-2022-40768,CVE-2022-42703,CVE-2022-43750
JIRA References: PED-1082,PED-1084,PED-1085,PED-1096,PED-1211,PED-1649,PED-634,PED-676,PED-678,PED-679,PED-707,PED-732,PED-813,PED-817,PED-822,PED-825,PED-833,PED-842,PED-846,PED-850,PED-851,PED-856,PED-857,SLE-13847,SLE-9246
Sources used:
openSUSE Leap 15.4 (src):    dtb-aarch64-5.14.21-150400.24.33.1, kernel-64kb-5.14.21-150400.24.33.2, kernel-debug-5.14.21-150400.24.33.2, kernel-default-5.14.21-150400.24.33.2, kernel-default-base-5.14.21-150400.24.33.2.150400.24.11.4, kernel-docs-5.14.21-150400.24.33.2, kernel-kvmsmall-5.14.21-150400.24.33.2, kernel-obs-build-5.14.21-150400.24.33.1, kernel-obs-qa-5.14.21-150400.24.33.1, kernel-source-5.14.21-150400.24.33.1, kernel-syms-5.14.21-150400.24.33.1, kernel-zfcpdump-5.14.21-150400.24.33.2
SUSE Linux Enterprise Workstation Extension 15-SP4 (src):    kernel-default-5.14.21-150400.24.33.2
SUSE Linux Enterprise Module for Live Patching 15-SP4 (src):    kernel-default-5.14.21-150400.24.33.2, kernel-livepatch-SLE15-SP4_Update_5-1-150400.9.3.4
SUSE Linux Enterprise Module for Legacy Software 15-SP4 (src):    kernel-default-5.14.21-150400.24.33.2
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    kernel-docs-5.14.21-150400.24.33.2, kernel-obs-build-5.14.21-150400.24.33.1, kernel-source-5.14.21-150400.24.33.1, kernel-syms-5.14.21-150400.24.33.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    kernel-64kb-5.14.21-150400.24.33.2, kernel-default-5.14.21-150400.24.33.2, kernel-default-base-5.14.21-150400.24.33.2.150400.24.11.4, kernel-source-5.14.21-150400.24.33.1, kernel-zfcpdump-5.14.21-150400.24.33.2
SUSE Linux Enterprise Micro 5.3 (src):    kernel-default-5.14.21-150400.24.33.2, kernel-default-base-5.14.21-150400.24.33.2.150400.24.11.4
SUSE Linux Enterprise High Availability 15-SP4 (src):    kernel-default-5.14.21-150400.24.33.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Swamp Workflow Management 2022-11-29 17:30:01 UTC
SUSE-SU-2022:4272-1: An update that solves 20 vulnerabilities and has 11 fixes is now available.

Category: security (important)
Bug References: 1032323,1065729,1198702,1200788,1202686,1202972,1203098,1203142,1203198,1203254,1203290,1203322,1203387,1203514,1203802,1204166,1204168,1204241,1204354,1204355,1204402,1204415,1204431,1204439,1204479,1204574,1204635,1204646,1204647,1204653,1204755
CVE References: CVE-2021-4037,CVE-2022-2153,CVE-2022-2964,CVE-2022-3169,CVE-2022-3424,CVE-2022-3521,CVE-2022-3524,CVE-2022-3542,CVE-2022-3545,CVE-2022-3565,CVE-2022-3586,CVE-2022-3594,CVE-2022-3621,CVE-2022-3629,CVE-2022-3646,CVE-2022-3649,CVE-2022-40307,CVE-2022-40768,CVE-2022-42703,CVE-2022-43750
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    kernel-default-4.12.14-122.139.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    kernel-docs-4.12.14-122.139.1, kernel-obs-build-4.12.14-122.139.1
SUSE Linux Enterprise Server 12-SP5 (src):    kernel-default-4.12.14-122.139.1, kernel-source-4.12.14-122.139.1, kernel-syms-4.12.14-122.139.1
SUSE Linux Enterprise Live Patching 12-SP5 (src):    kernel-default-4.12.14-122.139.1, kgraft-patch-SLE12-SP5_Update_37-1-8.3.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    kernel-default-4.12.14-122.139.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2022-11-29 17:35:29 UTC
SUSE-SU-2022:4273-1: An update that solves 21 vulnerabilities and has 11 fixes is now available.

Category: security (important)
Bug References: 1032323,1065729,1196018,1198702,1200788,1202686,1202972,1203098,1203142,1203198,1203254,1203290,1203322,1203387,1203514,1203802,1204166,1204168,1204241,1204354,1204355,1204402,1204415,1204431,1204439,1204479,1204574,1204635,1204646,1204647,1204653,1204755
CVE References: CVE-2021-4037,CVE-2022-2153,CVE-2022-28748,CVE-2022-2964,CVE-2022-3169,CVE-2022-3424,CVE-2022-3521,CVE-2022-3524,CVE-2022-3542,CVE-2022-3545,CVE-2022-3565,CVE-2022-3586,CVE-2022-3594,CVE-2022-3621,CVE-2022-3629,CVE-2022-3646,CVE-2022-3649,CVE-2022-40307,CVE-2022-40768,CVE-2022-42703,CVE-2022-43750
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    kernel-azure-4.12.14-16.115.1, kernel-source-azure-4.12.14-16.115.1, kernel-syms-azure-4.12.14-16.115.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.