Linux Kernel is affected by two denial-of-service (DoS) vulnerabilities, the issues impact Linux kernel 4.19.2 and previous versions.
Both flaws are rated as Medium severity and are NULL pointer deference issues that can be exploited by a local attacker to trigger a DoS condition.
The first vulnerability tracked as CVE-2018-19406 resides in the Linux kernel function called kvm_pv_send_ipi implemented in arch/x86/kvm/lapic.c.
A local attacker can exploit the flaw by using crafted system calls to reach a situation where the apic map is not initialized.
“kvm_pv_send_ipi in arch/x86/kvm/lapic.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where the apic map is uninitialized.” reads the security advisory.
“The reason is that the apic map has not yet been initialized, the testcase
triggers pv_send_ipi interface by vmcall which results in kvm->arch.apic_map
is dereferenced. This patch fixes it by checking whether or not apic map is
NULL and bailing out immediately if that is the case.” reads a blog post published by Wanpeng.
The second flaw, tracked as CVE-2018-19407 resides in the Linux Kernel function vcpu_scan_ioapic that is defined in arch/x86/kvm/x86.c.
The flaw is triggered when I/O Advanced Programmable Interrupt Controller (I/O APIC) does not initialize correctly.
The vulnerability could be exploited by a local attacker using crafted system calls that reach a situation where ioapic is uninitialized.
“The vcpu_scan_ioapic function in arch/x86/kvm/x86.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized.” reads the security advisory.
“The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr and triggers scan ioapic logic to load synic vectors into EOI exit bitmap. However, irqchip is not initialized by this simple testcase, ioapic/apic objects should not be accessed,” reads the analysis published by Wanpeng Li.
Unofficial patches for both flaws were released in the unofficial Linux Kernel Mailing List (LKML) archive, but haven’t been pushed upstream.
(Security Affairs – Linux Kernel, DoS)