Bugzilla – Bug 1200788
VUL-0: CVE-2022-2153: kernel-source-rt,kernel-source,kernel-source-azure: KVM: NULL pointer dereference in kvm_irq_delivery_to_apic_fast()
Last modified: 2022-09-27 03:50:13 UTC
When KVM initialize a vCPU without create apic, the value of vcpu->arch.apic is NULL, then if we enter guest and let KVM call kvm_hv_process_stimers() in arch/x86/kvm/x86.c:9947, which doesn't check apic in the kernel. Process stimer will use apic finally so it will cause a null pointer dereference. This flaw allows a malicious user in a Local DOS condition.
On cve/linux-4.4 and older I do not see any path that could lead to calling kvm_irq_delivery_to_apic() with both src = NULL and irq->shorthand = APIC_DEST_SELF, plus the code addressed in patches 1 and 3 does not exist (as far as I can tell, KVM does not handle any synic logic). Tracking those branches as not affected.
cve/linux-4.12, cve/linux-5.3 and SLE15-SP4 are affected. stable and master already got the fixes.
Bruce, this seems to be in your area.
A gentle ping from Kernel Security Sentinel: https://confluence.suse.com/display/KSS/Kernel+Security+Sentinel
This security bug has been ignored for weeks. Could you guys give an update (either fix or reassign-back)? Thanks.