Two unpatched vulnerabilities are found in Linux Kernel. Both are NULL pointer deference issues that can be used by local attackers to induce DoS condition.
PUBLISH DATE: 27-11-2018
Two vulnerabilities in the arch/x86/kvm/lapic.c and vcpu_scan_ioapic in Linux Kernel can be exploited by local malicious attackers to induce Denial of Service on target system. The flaws have not been patched by the vendor.
A kvm_pv_send_ipi in arch/x86/kvm/lapic.c in the Linux kernel’s 4.19.2 and earlier versions lets local users to cause a denial of service (NULL pointer dereference and BUG). The condition is induced via crafted system calls that reach a situation where the apic map is uninitialized.
The reason is that the apic map has not yet been initialized, the testcase triggers pv_send_ipi interface by vmcall which results in kvm->arch.apic_map is dereferenced. This patch fixes it by checking whether or not apic map is NULL and bailing out immediately if that is the case.
The second flaw, tracked as CVE-2018-19407 is found in the Linux Kernel function vcpu_scan_ioapic that is defined in arch/x86/kvm/x86.c.
The flaw is triggered when I/O Advanced Programmable Interrupt Controller (I/O APIC) fails to initialize correctly.
Using crafted system calls that reach a situation where ioapic is uninitialized, a malicious attacker may launch a Denial of Service attack on the target system.
The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr and triggers scan ioapic logic to load synic vectors into EOI exit bitmap. However, irqchip is not initialized by this simple testcase, ioapic/apic objects should not be accessed.
Linux kernel 4.19.2 and earlier versions.
Unofficial patches for both flaws were released in the unofficial Linux Kernel Mailing List (LKML) archive, but haven’t been pushed upstream. Whereas, no official updates or patches have been released by the vendor yet.
If you think you’re a victim of a cyber-attack, immediately send an email to firstname.lastname@example.org for a quick response.