Re: Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push

[Paolo Bonzini <pbonzini () redhat com>]

On 4/7/22 10:35, Solar Designer wrote:
> On Thu, Apr 07, 2022 at 10:15:42AM +0800, kangel wrote:
> >      We found a null-ptr-deref in the kvm module which can lead to DoS. This flaw is in kvm_dirty_ring_push in 
> > virt/kvm/dirty_ring.c. The linux kernel version is 5.17.0-rc8. We would appreciate a CVE ID if this is a security issue.
>
> Further in the linux-distros thread, this got assigned CVE-2022-1263,
> however is this really a security issue - in other words, is a security
> boundary crossed in triggering the bug?  I think it is not, and if so
> the CVE ID should probably be rejected.  From the PoC:

Alexander,

indeed it doesn't cross guest-host boundaries.  However, /dev/kvm is 
accessible by unprivileged users, so it should be treated like any other 
unprivileged NULL pointer dereference in Linux.  I do not apply an 
embargo for those bugs, but whether to assign a CVE is not my choice.

(As an aside, this is the third fuzzing bug reported for KVM on 
security () kernel org and linux-distros, but I think only one of them was 
really security sensitive).

Thanks,

Paolo

> >                 res = syscall(__NR_openat, 0xffffffffffffff9cul, "/dev/kvm", 0ul, 0ul);
>
> In fact, also in the linux-distros thread it was promptly agreed that
> this doesn't need an embargo - perhaps precisely because of no security
> relevance?  If so, that should have been said explicitly, so a CVE ID
> wouldn't be assigned (it was by another person).