Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 25 May 2022 19:41:57 +0800 (GMT+08:00)
From: kangel <>
Subject: CVE-2022-1789: Linux Kernel: x86/kvm: NULL pointer dereference in

------------[ Description ]------------    With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva.  If INVPCID is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL pointer dereference.     This bug was disclosed on May 20 and assigned CVE-2022-1789. ------------[ Credits ]------------Yongkang Jia (Zhejiang University)Gaoning Pan (Zhejiang University)Qiuhao Li (Harbin Institute of Technology)------------[ Backtrace ]------------BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 9112067 P4D 9112067 PUD 1f11067 PMD 0 
CPU: 0 PID: 490 Comm: syz-executor159 Not tainted 5.17.0-rc8 #21
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014RIP: 0010:0x0
Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
RSP: 0018:ffff88800a747810 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0003000008280000 RCX: ffffffff9032ac99
RDX: 1ffff1100189400d RSI: 0000000000000000 RDI: ffff88800c4a0000
RBP: ffff88800c4a0088 R08: 0000000000000000 R09: ffff88800a1c41a7
R10: ffffed1001438834 R11: 0000000000000001 R12: ffff88800c4a0072
R13: ffffffff932296a0 R14: ffff88800c4a0020 R15: ffff88800c4a0000
FS:  00007f95fcd82700(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 0000000007c1a003 CR4: 0000000000772ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 x86_emulate_insn+0xe41/0x3480 arch/x86/kvm/emulate.c:5469
 x86_emulate_instruction+0x972/0x1400 arch/x86/kvm/x86.c:8375
 kvm_mmu_page_fault+0x48f/0x1b80 arch/x86/kvm/mmu/mmu.c:5359
 handle_ept_violation+0x24e/0x660 arch/x86/kvm/vmx/vmx.c:5429
 __vmx_handle_exit arch/x86/kvm/vmx/vmx.c:6171 [inline]
 vmx_handle_exit+0x5e7/0x1ab0 arch/x86/kvm/vmx/vmx.c:6188
 vcpu_enter_guest+0x1adb/0x3af0 arch/x86/kvm/x86.c:10178
 vcpu_run arch/x86/kvm/x86.c:10261 [inline]
 kvm_arch_vcpu_ioctl_run+0x41e/0x17c0 arch/x86/kvm/x86.c:10471
 kvm_vcpu_ioctl+0x4d2/0xc60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3908
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x16d/0x1d0 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae------------[Patch ]------------The patch has been merged into the Linux kernel stable tree and it can be found here: repro is attached.Best regards.    Yongkang Jia

Content of type "text/html" skipped

View attachment "poc.c" of type "text/plain" (10152 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.