DoS Vulnerabilities Impact Linux Kernel
Two recently disclosed Linux kernel vulnerabilities that remain unpatched could be exploited for local denial-of-service (DoS).
The flaws, both which were made public last week, impact Linux kernel 4.19.2 and previous versions. Both represent NULL pointer deference bugs that can be exploited by local attackers and are considered Medium severity.
Tracked as CVE-2018-19406, the first issue was discovered in a Linux kernel function called kvm_pv_send_ipi, which is defined in arch/x86/kvm/lapic.c. The flaw is triggered when the Advanced Programmable Interrupt Controller (APIC) map does not initialize correctly.
To exploit the security flaw, a local attacker can use crafted system calls to reach a situation where the apic map is uninitialized.
“The reason is that the apic map has not yet been initialized, the testcase triggers pv_send_ipi interface by vmcall which results in kvm->arch.apic_map is dereferenced,” Linux contributor Wanpeng Li reports.
A proposed patch attempts to address the vulnerability by “checking whether or not apic map is NULL and bailing out immediately if that is the case.”
The second vulnerability, which has been assigned CVE number CVE-2018-19407, impacts the vcpu_scan_ioapic function that is defined in arch/x86/kvm/x86.c. The bug is triggered when I/O Advanced Programmable Interrupt Controller (I/O APIC) does not initialize correctly.
A local user looking to exploit the security flaw can use crafted system calls that reach a situation where ioapic is uninitialized.
“The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr and triggers scan ioapic logic to load synic vectors into EOI exit bitmap. However, irqchip is not initialized by this simple testcase, ioapic/apic objects should not be accessed,” Wanpeng Li explains.
The proposed patch attempts to address the vulnerability by abandoning scan ioapic if ioapic hasn’t been yet initialized in kernel.
Patches for these two bugs were made available in the unofficial Linux Kernel Mailing List (LKML) archive, but haven’t been pushed upstream.