Bug 1200788 - (CVE-2022-2153) VUL-0: CVE-2022-2153: kernel-source-rt,kernel-source,kernel-source-azure: KVM: NULL pointer dereference in kvm_irq_delivery_to_apic_fast()
(CVE-2022-2153)
VUL-0: CVE-2022-2153: kernel-source-rt,kernel-source,kernel-source-azure: KVM...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Claudio Fontana
Security Team bot
https://smash.suse.de/issue/335226/
CVSSv3.1:SUSE:CVE-2022-2153:6.5:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-06-22 07:45 UTC by Carlos López
Modified: 2022-09-27 03:50 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
rfrohl: needinfo? (claudio.fontana)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-06-22 07:45:59 UTC
rh#2069736

When KVM initialize a vCPU without create apic, the value of vcpu->arch.apic is NULL, then if we enter guest and let KVM call kvm_hv_process_stimers() in arch/x86/kvm/x86.c:9947, which doesn't check apic in the kernel. Process stimer will use apic finally so it will cause a null pointer dereference. This flaw allows a malicious user in a Local DOS condition.

References:

https://patchew.org/linux/20220325132140.25650-1-vkuznets@redhat.com/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2069736
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2153
Comment 1 Carlos López 2022-06-22 07:56:41 UTC
On cve/linux-4.4 and older I do not see any path that could lead to calling kvm_irq_delivery_to_apic() with both src = NULL and irq->shorthand = APIC_DEST_SELF, plus the code addressed in patches 1 and 3 does not exist (as far as I can tell, KVM does not handle any synic logic). Tracking those branches as not affected.

cve/linux-4.12, cve/linux-5.3 and SLE15-SP4 are affected. stable and master already got the fixes.

Upstream commits:
- https://github.com/torvalds/linux/commit/7ec37d1cbe17d8189d9562178d8b29167fe1c31a
- https://github.com/torvalds/linux/commit/00b5f37189d24ac3ed46cb7f11742094778c46ce
- https://github.com/torvalds/linux/commit/b1e34d325397a33d97d845e312d7cf2a8b646b44
Comment 2 Petr Mladek 2022-06-22 14:00:09 UTC
Bruce, this seems to be in your area.
Comment 6 Oscar Salvador 2022-09-27 03:50:13 UTC
A gentle ping from Kernel Security Sentinel: https://confluence.suse.com/display/KSS/Kernel+Security+Sentinel

This security bug has been ignored for weeks.  Could you guys give an update (either fix or reassign-back)?  Thanks.