CVE-2022-1789: Linux Kernel: x86/kvm: NULL pointer dereference in kvm_mmu_invpcid_gva

[kangel <kangel () zju edu cn>]

------------[ Description ]------------    With shadow paging enabled, the INVPCID instruction results in a call to 
kvm_mmu_invpcid_gva.  If INVPCID is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL 
pointer dereference.     This bug was disclosed on May 20 and assigned CVE-2022-1789. ------------[ Credits 
]------------Yongkang Jia (Zhejiang University)Gaoning Pan (Zhejiang University)Qiuhao Li (Harbin Institute of 
Technology)------------[ Backtrace ]------------BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 9112067 P4D 9112067 PUD 1f11067 PMD 0 
Oops: 0010 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 PID: 490 Comm: syz-executor159 Not tainted 5.17.0-rc8 #21
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014RIP: 0010:0x0
Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
RSP: 0018:ffff88800a747810 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0003000008280000 RCX: ffffffff9032ac99
RDX: 1ffff1100189400d RSI: 0000000000000000 RDI: ffff88800c4a0000
RBP: ffff88800c4a0088 R08: 0000000000000000 R09: ffff88800a1c41a7
R10: ffffed1001438834 R11: 0000000000000001 R12: ffff88800c4a0072
R13: ffffffff932296a0 R14: ffff88800c4a0020 R15: ffff88800c4a0000
FS:  00007f95fcd82700(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 0000000007c1a003 CR4: 0000000000772ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <TASK>
 x86_emulate_insn+0xe41/0x3480 arch/x86/kvm/emulate.c:5469
 x86_emulate_instruction+0x972/0x1400 arch/x86/kvm/x86.c:8375
 kvm_mmu_page_fault+0x48f/0x1b80 arch/x86/kvm/mmu/mmu.c:5359
 handle_ept_violation+0x24e/0x660 arch/x86/kvm/vmx/vmx.c:5429
 __vmx_handle_exit arch/x86/kvm/vmx/vmx.c:6171 [inline]
 vmx_handle_exit+0x5e7/0x1ab0 arch/x86/kvm/vmx/vmx.c:6188
 vcpu_enter_guest+0x1adb/0x3af0 arch/x86/kvm/x86.c:10178
 vcpu_run arch/x86/kvm/x86.c:10261 [inline]
 kvm_arch_vcpu_ioctl_run+0x41e/0x17c0 arch/x86/kvm/x86.c:10471
 kvm_vcpu_ioctl+0x4d2/0xc60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3908
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x16d/0x1d0 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae------------[Patch ]------------The patch has been merged into the Linux 
kernel stable tree and it can be found 
here:https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9f46c187e2e680ecd9de7983e4d081c3391acc76C
 repro is attached.Best regards.    Yongkang Jia

Attachment: poc.c
Description: