Two unpatched Linux kernel vulnerabilities which were made public last week can be exploited by local attackers for denial-of-service (DoS).
The flaws impact Linux kernel version 4.19.2 and previous. Both the flaw were rated as medium severity and are NULL pointer deference bugs which can be exploited by local attackers.
The first flaw CVE-2018-19406 resides in a Linux function called kvm_pv_send_ipi in arch/x86/kvm/lapic.c.
The flaw can be exploited by the attacker to cause a denial of service using a crafted system calls to reach a situation where the apic map is uninitialized.
“The reason is that the apic map has not yet been initialized, the testcase
triggers pv_send_ipi interface by vmcall which results in kvm->arch.apic_map
is dereferenced. This patch fixes it by checking whether or not apic map is
NULL and bailing out immediately if that is the case.” said in the blog post published by Wanpeng Li.
The second flaw tracked as CVE-2018-19407 is an issue resides in the Linux kernel function vcpu_scan_ioapic function in arch/x86/kvm/x86.c.
The vulnerability is triggered when I/O Advanced Programmable Interrupt Controller (I/O APIC) does not initialize correctly.
The flaw can be exploited by a local attacker by using crafted system calls that reach a situation where ioapic is uninitialized.
“The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr
and triggers scan ioapic logic to load synic vectors into EOI exit bitmap.
However, irqchip is not initialized by this simple testcase, ioapic/apic
objects should not be accessed ” said in the blog post published by Wanpeng Li.
The patches for both the flaw were released in the unofficial Linux Kernel Mailing List (LKML) archive.
You may be interested in reading:Critical Flaw US Postal Service Exposed Account Details of 60 Million Users