Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <49bd403c.4d90.181899b3a76.Coremail.22021034@zju.edu.cn>
Date: Wed, 22 Jun 2022 12:11:00 +0800 (GMT+08:00)
From: kangel <22021034@....edu.cn>
To: oss-security@...ts.openwall.com
Cc: secalert@...hat.com, pbonzini@...hat.com, seanjc@...gle.com, 
	vkuznets@...hat.com, wanpengli@...cent.com, pgn@....edu.cn, 
	gregkh@...uxfoundation.org
Subject: CVE-2022-2153: Linux Kernel: x86/kvm: NULL pointer dereference in
 kvm_irq_delivery_to_apic_fast

------------[ Description ]------------    We found a 'general protection fault in kvm_irq_delivery_to_apic_fast' bug by syzkaller. The linux kernel version is 5.17.0-rc8.    When KVM initialized a vCPU without create apic, the value of vcpu->arch.apic is NULL, then if we enter guest and let KVM call kvm_hv_process_stimers() in arch/x86/kvm/x86.c:9947, which not check if apic in kernel. Process stimer will use apic finally so it will cause a null pointer dereference.     This flaw allows a malicious user in a Local DOS condition. The following program triggers Local DOS in kvm_irq_delivery_to_apic_fast in arch/x86/kvm/lapic.c:995, this bug can be reproducible stably by the C reproducer    This bug was disclosed on March 25 and assigned CVE-2022-2153. ------------[ Credits ]------------Yongkang Jia (Zhejiang University)Gaoning Pan (Zhejiang University)------------[ Backtrace ]------------Syzkaller hit 'general protection fault in kvm_irq_delivery_to_apic_fast' bug.

general protection fault, probably for non-canonical address 0xdffffc0000000013: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000098-0x000000000000009f]
CPU: 1 PID: 679 Comm: syz-executor210 Not tainted 5.17.0-rc8 #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1~cloud0 04/01/2014
RIP: 0010:kvm_irq_delivery_to_apic_fast+0x3dd/0x670 arch/x86/kvm/lapic.c:995
Code: e9 71 fe ff ff e8 93 3f 44 00 48 8b 9c 24 88 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 98 00 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 18 02 00 00 48 8b 9b 98 00 00 00 48 b8 00 00 00
RSP: 0018:ffff8880094276c0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff9792d12d
RDX: 0000000000000013 RSI: 0000000000000000 RDI: 0000000000000098
RBP: ffff8880094279a8 R08: 0000000000000000 R09: ffff8880094279b0
R10: ffff8880094279bf R11: ffffed1001284f37 R12: ffffc9000085d000
R13: ffff888009427858 R14: 0000000000000000 R15: 0000000000000000
FS:  00007f942fa80700(0000) GS:ffff88806d300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020fe8000 CR3: 000000000852e006 CR4: 00000000003726e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 kvm_irq_delivery_to_apic+0xb8/0x860 arch/x86/kvm/irq_comm.c:54
 synic_set_irq+0x169/0x340 arch/x86/kvm/hyperv.c:463
 synic_deliver_msg arch/x86/kvm/hyperv.c:770 [inline]
 stimer_send_msg arch/x86/kvm/hyperv.c:793 [inline]
 stimer_expiration arch/x86/kvm/hyperv.c:817 [inline]
 kvm_hv_process_stimers+0xe85/0x1210 arch/x86/kvm/hyperv.c:849
 vcpu_enter_guest+0x37cb/0x4070 arch/x86/kvm/x86.c:9947
 vcpu_run arch/x86/kvm/x86.c:10261 [inline]
 kvm_arch_vcpu_ioctl_run+0x3a6/0x1670 arch/x86/kvm/x86.c:10471
 kvm_vcpu_ioctl+0x4cc/0xc70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3908
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x16d/0x1d0 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x448b29
Code: e8 ec e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b fe fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f942fa7fda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006ddc40 RCX: 0000000000448b29
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005
RBP: 00000000006ddc48 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006ddc4c
R13: 6d766b2f7665642f R14: 00007f942fa809c0 R15: 0000000000000000------------[Patch ]------------The patch is public and it can be found here:https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit/?h=queue&id=00b5f37189d24ac3ed46cb7f11742094778c46ceC repro is attached.Best regards.    Yongkang Jia

Content of type "text/html" skipped

View attachment "poc.c" of type "text/plain" (40075 bytes)

Download attachment "config" of type "application/octet-stream" (130207 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.