oss-sec mailing list archives

Re: Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push

From: Solar Designer <solar () openwall com>
Date: Thu, 7 Apr 2022 10:35:43 +0200

On Thu, Apr 07, 2022 at 10:15:42AM +0800, kangel wrote:

    We found a null-ptr-deref in the kvm module which can lead to DoS. This flaw is in kvm_dirty_ring_push in 
virt/kvm/dirty_ring.c. The linux kernel version is 5.17.0-rc8. We would appreciate a CVE ID if this is a security 
issue.


Further in the linux-distros thread, this got assigned CVE-2022-1263,
however is this really a security issue - in other words, is a security
boundary crossed in triggering the bug?  I think it is not, and if so
the CVE ID should probably be rejected.  From the PoC:

              res = syscall(__NR_openat, 0xffffffffffffff9cul, "/dev/kvm", 0ul, 0ul);


In fact, also in the linux-distros thread it was promptly agreed that
this doesn't need an embargo - perhaps precisely because of no security
relevance?  If so, that should have been said explicitly, so a CVE ID
wouldn't be assigned (it was by another person).

Alexander

Current thread:

Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push kangel (Apr 07)
- Re: Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push Solar Designer (Apr 07)
  - Re: Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push Paolo Bonzini (Apr 07)
    - Re: Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push Solar Designer (Apr 07)
  - Re: Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push Qiuhao Li (Apr 07)
- Re: Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push Qiuhao Li (Apr 07)