oss-sec mailing list archives
Re: Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push
From: Paolo Bonzini <pbonzini () redhat com>
Date: Thu, 7 Apr 2022 10:53:17 +0200
On 4/7/22 10:35, Solar Designer wrote:
On Thu, Apr 07, 2022 at 10:15:42AM +0800, kangel wrote:We found a null-ptr-deref in the kvm module which can lead to DoS. This flaw is in kvm_dirty_ring_push in virt/kvm/dirty_ring.c. The linux kernel version is 5.17.0-rc8. We would appreciate a CVE ID if this is a security issue.Further in the linux-distros thread, this got assigned CVE-2022-1263, however is this really a security issue - in other words, is a security boundary crossed in triggering the bug? I think it is not, and if so the CVE ID should probably be rejected. From the PoC:
Alexander,indeed it doesn't cross guest-host boundaries. However, /dev/kvm is accessible by unprivileged users, so it should be treated like any other unprivileged NULL pointer dereference in Linux. I do not apply an embargo for those bugs, but whether to assign a CVE is not my choice.
(As an aside, this is the third fuzzing bug reported for KVM on security () kernel org and linux-distros, but I think only one of them was really security sensitive).
Thanks, Paolo
res = syscall(__NR_openat, 0xffffffffffffff9cul, "/dev/kvm", 0ul, 0ul);In fact, also in the linux-distros thread it was promptly agreed that this doesn't need an embargo - perhaps precisely because of no security relevance? If so, that should have been said explicitly, so a CVE ID wouldn't be assigned (it was by another person).
Current thread:
- Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push kangel (Apr 07)
- Re: Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push Solar Designer (Apr 07)
- Re: Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push Paolo Bonzini (Apr 07)
- Re: Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push Solar Designer (Apr 07)
- Re: Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push Qiuhao Li (Apr 07)
- Re: Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push Paolo Bonzini (Apr 07)
- Re: Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push Qiuhao Li (Apr 07)
- Re: Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push Solar Designer (Apr 07)