Bug 1199674 (CVE-2022-1789) - VUL-0: CVE-2022-1789: kernel: NULL pointer dereference in kvm_mmu_invpcid_gva
Summary: VUL-0: CVE-2022-1789: kernel: NULL pointer dereference in kvm_mmu_invpcid_gva
Status: RESOLVED FIXED
Alias: CVE-2022-1789
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/332284/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-1789:5.5:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-18 13:17 UTC by Carlos López
Modified: 2024-06-25 16:52 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-05-18 13:17:43 UTC 
From linux-distros:

Hi developers,

    We found a null-ptr-deref in the kvm module which can lead to DoS. This flaw is in kvm_mmu_invpcid_gva in

arch/x86/kvm/mmu/mmu.c. The linux kernel version is 5.17.0-rc8. We would appreciate a CVE ID if this is a security issue.

------------[ Description ]------------

    When we create a vcpu without set the CR0 PG bit, it will call nopaging_init_context in arch/x86/kvm/mmu/mmu.c, which will set mmu->invlpg = NULL On arch/x86/kvm/mmu/mmu.c to set mmu->invlpg = NULL. If we run a correct INVPCID instruction in the guest machine to cause a VM-exit. Then KVM will call hanlde_invpcid to handle this VM-exit. finally, it will call mmu->invlpg in kvm_mmu_invpcid_gva which was be set to NULL.

    The reproduce condition is that the host os should disable ept of kvm_intel module and cpu‘s MSR supports MSR_IA32_VMX_PROCBASED_CTLS2 capability (rdmsr 0x48b). ((rdmsr MSR_IA32_VMX_PROCBASED_CTLS2) >> 32) & SECONDARY_EXEC_ENABLE_INVPCID == SECONDARY_EXEC_ENABLE_INVPCID.


    On one hand, this flaw can cause a local DOS in host OS. On the other hand, we can make host OS shutdown in guest OS if the condition of host OS are matched.

------------[ Reproducer ]------------


disable host ept:


rmmod kvm_intel


modprobe kvm_intel ept=0 vpid=0


qemu-system-x86_64 -m 512M -smp 2 -cpu host -kernel /home/zju/linux-5.17-rc8/arch/x86/boot/bzImage -append "console=ttyS0 root=/dev/sda earlyprintk=serial net.ifnames=0 nokaslr" -drive file=/home/zju/script/stretch.img,format=raw -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic,model=e1000 -enable-kvm -nographic 


poc.c is attached( run in qemu).


gcc poc.c -static -o poc 


 

------------[ Credits ]------------


Yongkang Jia (Zhejiang University)


Gaoning Pan (Zhejiang University)



Qiuhao Li (Harbin Institute of Technology)


------------[ Backtrace ]------------


KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]

BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD b5bc067 P4D b5bc067 PUD b521067 PMD 0 
Oops: 0010 [#1] PREEMPT SMP KASAN NOPTI
CPU: 1 PID: 487 Comm: syz-executor412 Not tainted 5.17.0-rc8 #18
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:0x0
Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
RSP: 0018:ffff88800b6b7928 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff9f58f34c
RDX: 0000000009623000 RSI: 0000000000000000 RDI: ffff88800bbc0000
RBP: ffff88800bbc0000 R08: 0000000000000001 R09: ffffed1001778035
R10: ffff88800bbc01a7 R11: ffffed1001778034 R12: 0000000000004000
R13: 0000000000000000 R14: ffff88800bbc0290 R15: 0000000000000000
FS:  0000555555df3880(0000) GS:ffff88806d040000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000000b61c006 CR4: 0000000000372ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 kvm_mmu_invpcid_gva+0x2ac/0x380 arch/x86/kvm/mmu/mmu.c:5417
 kvm_handle_invpcid+0x251/0x270 arch/x86/kvm/x86.c:12613
 handle_invpcid arch/x86/kvm/vmx/vmx.c:5608 [inline]
 handle_invpcid+0x2a3/0x410 arch/x86/kvm/vmx/vmx.c:5580
 __vmx_handle_exit arch/x86/kvm/vmx/vmx.c:6171 [inline]
 vmx_handle_exit+0x4d8/0x1830 arch/x86/kvm/vmx/vmx.c:6188
 vcpu_enter_guest+0x20a9/0x4070 arch/x86/kvm/x86.c:10178
 vcpu_run arch/x86/kvm/x86.c:10261 [inline]
 kvm_arch_vcpu_ioctl_run+0x3a6/0x1670 arch/x86/kvm/x86.c:10471
 kvm_vcpu_ioctl+0x4cc/0xc70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3908
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x16d/0x1d0 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae



------------[ Patch ]------------


We try to do a patch, which can not make the poc trigger this flaw.


diff --git a/linux-5.17-rc8/arch/x86/kvm/mmu/mmu.c b/linux-5.17-patch/arch/x86/kvm/mmu/mmu.c
index 5628d0b..bd464d2 100644
--- a/linux-5.17-rc8/arch/x86/kvm/mmu/mmu.c
+++ b/linux-5.17-patch/arch/x86/kvm/mmu/mmu.c
@@ -5413,6 +5413,9 @@ void kvm_mmu_invpcid_gva(struct kvm_vcpu *vcpu, gva_t gva, unsigned long pcid)
        bool tlb_flush = false;
        uint i;

+       if (!is_cr0_pg(mmu))
+               return;
+
        if (pcid == kvm_get_active_pcid(vcpu)) {
                mmu->invlpg(vcpu, gva, mmu->root_hpa);
                tlb_flush = true;
Comment 5 Carlos López 2022-05-18 14:04:19 UTC 
Only SLE15-SP4-GA and newer set `context->invlpg = NULL`, so tracking it as affected.
Comment 9 Carlos López 2022-05-23 09:29:04 UTC 
Fixed in commit 9f46c187e2e680ecd9de7983e4d081c3391acc76
Comment 10 Joerg Roedel 2022-05-25 09:48:50 UTC 
(In reply to Carlos López from comment #9)
> Fixed in commit 9f46c187e2e680ecd9de7983e4d081c3391acc76

That means the bug is public and there is no Embargo anymore.

Can you please remove the Embargo flags from this bug so that I can push the patches to our kernels?

Thanks!
Comment 11 Michal Hocko 2022-05-25 10:46:22 UTC 
(In reply to Joerg Roedel from comment #10)
> (In reply to Carlos López from comment #9)
> > Fixed in commit 9f46c187e2e680ecd9de7983e4d081c3391acc76
> 
> That means the bug is public and there is no Embargo anymore.

Sometimes an embargo can be in place even when the fix is already public. But I do agree that this is not that case as the changelog directly refers the CVE.
Comment 12 Joerg Roedel 2022-06-01 07:59:59 UTC 
Backported fix to SLE15-SP4.

master and stable branches already got the fix from upstream.

cve/linux-5.3 and older are not affected by this bug as they never set the mmu->invlpg pointer to NULL.
Comment 13 Joerg Roedel 2022-06-02 09:32:01 UTC 
Fix is merged into these branches:

* master via upstream
* stable via upstream
* SLE15-SP4 via backport


Older branches are not affected by this problem. Assigning back.
Comment 26 Swamp Workflow Management 2022-07-21 22:36:51 UTC 
SUSE-SU-2022:2520-1: An update that solves 49 vulnerabilities, contains 26 features and has 207 fixes is now available.

Category: security (important)
Bug References: 1055117,1061840,1065729,1071995,1089644,1103269,1118212,1121726,1137728,1156395,1157038,1157923,1175667,1179439,1179639,1180814,1183682,1183872,1184318,1184924,1187716,1188885,1189998,1190137,1190208,1190336,1190497,1190768,1190786,1190812,1191271,1191663,1192483,1193064,1193277,1193289,1193431,1193556,1193629,1193640,1193787,1193823,1193852,1194086,1194111,1194191,1194409,1194501,1194523,1194526,1194583,1194585,1194586,1194625,1194765,1194826,1194869,1195099,1195287,1195478,1195482,1195504,1195651,1195668,1195669,1195775,1195823,1195826,1195913,1195915,1195926,1195944,1195957,1195987,1196079,1196114,1196130,1196213,1196306,1196367,1196400,1196426,1196478,1196514,1196570,1196723,1196779,1196830,1196836,1196866,1196868,1196869,1196901,1196930,1196942,1196960,1197016,1197157,1197227,1197243,1197292,1197302,1197303,1197304,1197362,1197386,1197501,1197601,1197661,1197675,1197761,1197817,1197819,1197820,1197888,1197889,1197894,1197915,1197917,1197918,1197920,1197921,1197922,1197926,1198009,1198010,1198012,1198013,1198014,1198015,1198016,1198017,1198018,1198019,1198020,1198021,1198022,1198023,1198024,1198027,1198030,1198034,1198058,1198217,1198379,1198400,1198402,1198410,1198412,1198413,1198438,1198484,1198577,1198585,1198660,1198802,1198803,1198806,1198811,1198826,1198829,1198835,1198968,1198971,1199011,1199024,1199035,1199046,1199052,1199063,1199163,1199173,1199260,1199314,1199390,1199426,1199433,1199439,1199482,1199487,1199505,1199507,1199605,1199611,1199626,1199631,1199650,1199657,1199674,1199736,1199793,1199839,1199875,1199909,1200015,1200019,1200045,1200046,1200144,1200205,1200211,1200259,1200263,1200284,1200315,1200343,1200420,1200442,1200475,1200502,1200567,1200569,1200571,1200599,1200600,1200608,1200611,1200619,1200692,1200762,1200763,1200806,1200807,1200808,1200809,1200810,1200812,1200813,1200815,1200816,1200820,1200821,1200822,1200824,1200825,1200827,1200828,1200829,1200830,1200845,1200882,1200925,1201050,1201080,1201160,1201171,1201177,1201193,1201196,1201218,1201222,1201228,1201251,1201381,1201471,1201524
CVE References: CVE-2021-26341,CVE-2021-33061,CVE-2021-4204,CVE-2021-44879,CVE-2021-45402,CVE-2022-0264,CVE-2022-0494,CVE-2022-0617,CVE-2022-1012,CVE-2022-1016,CVE-2022-1184,CVE-2022-1198,CVE-2022-1205,CVE-2022-1462,CVE-2022-1508,CVE-2022-1651,CVE-2022-1652,CVE-2022-1671,CVE-2022-1679,CVE-2022-1729,CVE-2022-1734,CVE-2022-1789,CVE-2022-1852,CVE-2022-1966,CVE-2022-1972,CVE-2022-1974,CVE-2022-1998,CVE-2022-20132,CVE-2022-20154,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-21499,CVE-2022-2318,CVE-2022-23222,CVE-2022-26365,CVE-2022-26490,CVE-2022-29582,CVE-2022-29900,CVE-2022-29901,CVE-2022-30594,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-33743,CVE-2022-33981,CVE-2022-34918
JIRA References: SLE-13513,SLE-13521,SLE-15442,SLE-17855,SLE-18194,SLE-18234,SLE-18375,SLE-18377,SLE-18378,SLE-18382,SLE-18385,SLE-18901,SLE-18938,SLE-18978,SLE-19001,SLE-19026,SLE-19242,SLE-19249,SLE-19253,SLE-19924,SLE-21315,SLE-23643,SLE-24072,SLE-24093,SLE-24350,SLE-24549
Sources used:
openSUSE Leap 15.4 (src):    dtb-aarch64-5.14.21-150400.24.11.1, kernel-64kb-5.14.21-150400.24.11.1, kernel-debug-5.14.21-150400.24.11.1, kernel-default-5.14.21-150400.24.11.1, kernel-default-base-5.14.21-150400.24.11.1.150400.24.3.6, kernel-docs-5.14.21-150400.24.11.1, kernel-kvmsmall-5.14.21-150400.24.11.1, kernel-obs-build-5.14.21-150400.24.11.1, kernel-obs-qa-5.14.21-150400.24.11.1, kernel-source-5.14.21-150400.24.11.1, kernel-syms-5.14.21-150400.24.11.1, kernel-zfcpdump-5.14.21-150400.24.11.1
SUSE Linux Enterprise Workstation Extension 15-SP4 (src):    kernel-default-5.14.21-150400.24.11.1
SUSE Linux Enterprise Module for Live Patching 15-SP4 (src):    kernel-default-5.14.21-150400.24.11.1, kernel-livepatch-SLE15-SP4_Update_1-1-150400.9.5.3
SUSE Linux Enterprise Module for Legacy Software 15-SP4 (src):    kernel-default-5.14.21-150400.24.11.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    kernel-docs-5.14.21-150400.24.11.1, kernel-obs-build-5.14.21-150400.24.11.1, kernel-source-5.14.21-150400.24.11.1, kernel-syms-5.14.21-150400.24.11.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    kernel-64kb-5.14.21-150400.24.11.1, kernel-default-5.14.21-150400.24.11.1, kernel-default-base-5.14.21-150400.24.11.1.150400.24.3.6, kernel-source-5.14.21-150400.24.11.1, kernel-zfcpdump-5.14.21-150400.24.11.1
SUSE Linux Enterprise High Availability 15-SP4 (src):    kernel-default-5.14.21-150400.24.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Swamp Workflow Management 2022-08-01 13:39:09 UTC 
SUSE-SU-2022:2615-1: An update that solves 48 vulnerabilities, contains 26 features and has 202 fixes is now available.

Category: security (important)
Bug References: 1055117,1061840,1065729,1071995,1089644,1103269,1118212,1121726,1137728,1156395,1157038,1157923,1175667,1179439,1179639,1180814,1183682,1183872,1184318,1184924,1187716,1188885,1189998,1190137,1190208,1190336,1190497,1190768,1190786,1190812,1191271,1191663,1192483,1193064,1193277,1193289,1193431,1193556,1193629,1193640,1193787,1193823,1193852,1194086,1194111,1194191,1194409,1194501,1194523,1194526,1194583,1194585,1194586,1194625,1194765,1194826,1194869,1195099,1195287,1195478,1195482,1195504,1195651,1195668,1195669,1195775,1195823,1195826,1195913,1195915,1195926,1195944,1195957,1195987,1196079,1196114,1196130,1196213,1196306,1196367,1196400,1196426,1196478,1196514,1196570,1196723,1196779,1196830,1196836,1196866,1196868,1196869,1196901,1196930,1196942,1196960,1197016,1197157,1197227,1197243,1197292,1197302,1197303,1197304,1197362,1197386,1197501,1197601,1197661,1197675,1197761,1197817,1197819,1197820,1197888,1197889,1197894,1197915,1197917,1197918,1197920,1197921,1197922,1197926,1198009,1198010,1198012,1198013,1198014,1198015,1198016,1198017,1198018,1198019,1198020,1198021,1198022,1198023,1198024,1198027,1198030,1198034,1198058,1198217,1198379,1198400,1198402,1198412,1198413,1198438,1198484,1198577,1198585,1198660,1198802,1198803,1198806,1198811,1198826,1198835,1198968,1198971,1199011,1199024,1199035,1199046,1199052,1199063,1199163,1199173,1199260,1199314,1199390,1199426,1199433,1199439,1199482,1199487,1199505,1199507,1199605,1199611,1199626,1199631,1199650,1199657,1199674,1199736,1199793,1199839,1199875,1199909,1200015,1200019,1200045,1200046,1200144,1200205,1200211,1200259,1200263,1200284,1200315,1200343,1200420,1200442,1200475,1200502,1200567,1200569,1200571,1200572,1200599,1200600,1200608,1200611,1200619,1200692,1200762,1200763,1200806,1200807,1200808,1200809,1200810,1200812,1200815,1200816,1200820,1200822,1200824,1200825,1200827,1200828,1200829,1200830,1200845,1200882,1200925,1201050,1201160,1201171,1201177,1201193,1201196,1201218,1201222,1201228,1201251,150300
CVE References: CVE-2021-26341,CVE-2021-33061,CVE-2021-4204,CVE-2021-44879,CVE-2021-45402,CVE-2022-0264,CVE-2022-0494,CVE-2022-0617,CVE-2022-1012,CVE-2022-1016,CVE-2022-1184,CVE-2022-1198,CVE-2022-1205,CVE-2022-1508,CVE-2022-1651,CVE-2022-1652,CVE-2022-1671,CVE-2022-1679,CVE-2022-1729,CVE-2022-1734,CVE-2022-1789,CVE-2022-1852,CVE-2022-1966,CVE-2022-1972,CVE-2022-1974,CVE-2022-1998,CVE-2022-20132,CVE-2022-20154,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-21499,CVE-2022-2318,CVE-2022-23222,CVE-2022-26365,CVE-2022-26490,CVE-2022-29582,CVE-2022-29900,CVE-2022-29901,CVE-2022-30594,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-33743,CVE-2022-33981,CVE-2022-34918
JIRA References: SLE-13513,SLE-13521,SLE-15442,SLE-17855,SLE-18194,SLE-18234,SLE-18375,SLE-18377,SLE-18378,SLE-18382,SLE-18385,SLE-18901,SLE-18938,SLE-18978,SLE-19001,SLE-19026,SLE-19242,SLE-19249,SLE-19253,SLE-19924,SLE-21315,SLE-23643,SLE-24072,SLE-24093,SLE-24350,SLE-24549
Sources used:
openSUSE Leap 15.4 (src):    kernel-azure-5.14.21-150400.14.7.1, kernel-source-azure-5.14.21-150400.14.7.1, kernel-syms-azure-5.14.21-150400.14.7.1
SUSE Linux Enterprise Module for Public Cloud 15-SP4 (src):    kernel-azure-5.14.21-150400.14.7.1, kernel-source-azure-5.14.21-150400.14.7.1, kernel-syms-azure-5.14.21-150400.14.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 33 Carlos López 2023-04-13 14:53:34 UTC 
Done, closing.