As of late two denial-of-service (DoS) vulnerabilities
evaluated as ones with Medium severity, affected the Linux kernel 4.19.2 in
addition to its previous versions. The two defects are NULL pointer deference
issues that can be misused by even a local attacker if he or she wishes to
trigger a DoS condition.
Tracked as CVE-2018-19406, the primary issue was observed to
dwell in a Linux kernel function called kvm_pv_send_ipi, which is characterized
in curve/x86/kvm/lapic.c. The defect is activated when the Advanced
Programmable Interrupt Controller (APIC) delineate is not initialized correctly.
To abuse the security defect, a local attacker can utilize
the already 'crafted' system calls to achieve a circumstance where the apic delineate
remains uninitialized.
In a published blog post the Linux contributor Wanpeng Li
reports:
“The reason is that the apic map has not yet been
initialized, the testcase triggers pv_send_ipi interface by vmcall which
results in kvm->arch.apic_map is dereferenced”
The second vulnerability, which has been doled out the CVE
number CVE-2018-19407, impacts the vcpu_scan_ioapic function that is
characterized in curve/x86/kvm/x86.c. The bug is activated when I/O Advanced
Programmable Interrupt Controller (I/O APIC) does not instate effectively.
Further adds the security advisor “the vcpu_scan_ioapic
function in arch/x86/kvm/x86.c in the Linux kernel through 4.19.2 allows local
users to cause a denial of service (NULL pointer dereference and BUG) via
crafted system calls that reach a situation where ioapic is uninitialized.”
“The reason is that the testcase writes hyperv synic
HV_X64_MSR_SINT6 msr and triggers scan ioapic logic to load synic vectors into
EOI exit bitmap. However, irqchip is not initialized by this simple testcase,
ioapic/apic objects should not be accessed,” reads the analysis published by
Wanpeng Li.
Albeit informal patches for the two blemishes were
discharged in the informal Linux Kernel Mailing List (LKML) archive, however
despite everything they haven't been pushed upstream.
