CVE-2018-16882 Kernel: KVM: nVMX: use after free in posted interrupt processing

[P J P <ppandit () redhat com>]

  Hello,

A use after free issue was found in the way Linux kernel's KVM hypervisor 
processed posted interrupts, when nested(=1) virtualization is enabled. In 
nested_get_vmcs12_pages(), in case of an error while processing posted 
interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc' 
descriptor address. Which is latter used in pi_test_and_clear_on().

A guest user/process could use this flaw to crash the host kernel resulting in 
DoS.

Upstream patch:
---------------
  -> https://marc.info/?l=kvm&m=154514994222809&w=2

This issue was reported by Cfir Cohen of google.com.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F