mbox series

[SRU,F/I/J/OEM-5.14/OEM-5.17,0/1] CVE-2022-1789

Message ID 20220602150513.494225-1-cengiz.can@canonical.com
Headers show
Series CVE-2022-1789 | expand

Message

Cengiz Can June 2, 2022, 3:05 p.m. UTC 
[Impact]

 From https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1789

With shadow paging enabled, the INVPCID instruction results in a call 
to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the 
invlpg callback is not set and the result is a NULL pointer dereference.

[Other Info]

* mmu->root_hpa was moved to mmu->root.hpa in 5.18-rc1 
(commit b9e5603c2a3accbadfec570ac501a54431a6bdba) and the fix was done
according to that change. While backporting, we had to modify the patch
to use mmu->root_hpa. This might cause merge conflicts in the future.

* Target file resides in arch/x86/kvm instead of arch/x86/kvm/mmu in
older kernels.

Paolo Bonzini (1):
  KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID

 arch/x86/kvm/mmu/mmu.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Comments

Tim Gardner June 2, 2022, 3:11 p.m. UTC | #1 
Acked-by: Tim Gardner <tim.gardner@canonical.com>

On 6/2/22 09:05, Cengiz Can wrote:
> [Impact]
> 
>   From https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1789
> 
> With shadow paging enabled, the INVPCID instruction results in a call
> to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the
> invlpg callback is not set and the result is a NULL pointer dereference.
> 
> [Other Info]
> 
> * mmu->root_hpa was moved to mmu->root.hpa in 5.18-rc1
> (commit b9e5603c2a3accbadfec570ac501a54431a6bdba) and the fix was done
> according to that change. While backporting, we had to modify the patch
> to use mmu->root_hpa. This might cause merge conflicts in the future.
> 
> * Target file resides in arch/x86/kvm instead of arch/x86/kvm/mmu in
> older kernels.
> 
> Paolo Bonzini (1):
>    KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID
> 
>   arch/x86/kvm/mmu/mmu.c | 6 ++++--
>   1 file changed, 4 insertions(+), 2 deletions(-)
>
Paolo Pisati June 6, 2022, 10:18 a.m. UTC | #2 
On Thu, Jun 02, 2022 at 06:05:09PM +0300, Cengiz Can wrote:
> [Impact]
> 
>  From https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1789

The fix already came down as part of upstream stable v5.17.12.
Luke Nowakowski-Krijger June 9, 2022, 2:36 p.m. UTC | #3 
Acked-by: Luke Nowakowski-Krijger <luke.nowakowskikrijger@canonical.com>

On Thu, Jun 2, 2022 at 8:06 AM Cengiz Can <cengiz.can@canonical.com> wrote:

> [Impact]
>
>  From https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1789
>
> With shadow paging enabled, the INVPCID instruction results in a call
> to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the
> invlpg callback is not set and the result is a NULL pointer dereference.
>
> [Other Info]
>
> * mmu->root_hpa was moved to mmu->root.hpa in 5.18-rc1
> (commit b9e5603c2a3accbadfec570ac501a54431a6bdba) and the fix was done
> according to that change. While backporting, we had to modify the patch
> to use mmu->root_hpa. This might cause merge conflicts in the future.
>
> * Target file resides in arch/x86/kvm instead of arch/x86/kvm/mmu in
> older kernels.
>
> Paolo Bonzini (1):
>   KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID
>
>  arch/x86/kvm/mmu/mmu.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> --
> 2.34.1
>
>
> --
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
Timo Aaltonen June 13, 2022, 11:37 a.m. UTC | #4 
Cengiz Can kirjoitti 2.6.2022 klo 18.05:
> [Impact]
> 
>   From https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1789
> 
> With shadow paging enabled, the INVPCID instruction results in a call
> to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the
> invlpg callback is not set and the result is a NULL pointer dereference.
> 
> [Other Info]
> 
> * mmu->root_hpa was moved to mmu->root.hpa in 5.18-rc1
> (commit b9e5603c2a3accbadfec570ac501a54431a6bdba) and the fix was done
> according to that change. While backporting, we had to modify the patch
> to use mmu->root_hpa. This might cause merge conflicts in the future.
> 
> * Target file resides in arch/x86/kvm instead of arch/x86/kvm/mmu in
> older kernels.
> 
> Paolo Bonzini (1):
>    KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID
> 
>   arch/x86/kvm/mmu/mmu.c | 6 ++++--
>   1 file changed, 4 insertions(+), 2 deletions(-)
> 

oem-5.14 got this via stable backports from 5.15.44

oem-5.17 will get this via hwe-5.17
Stefan Bader June 21, 2022, 3:23 p.m. UTC | #5 
On 02.06.22 17:05, Cengiz Can wrote:
> [Impact]
> 
>   From https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1789
> 
> With shadow paging enabled, the INVPCID instruction results in a call
> to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the
> invlpg callback is not set and the result is a NULL pointer dereference.
> 
> [Other Info]
> 
> * mmu->root_hpa was moved to mmu->root.hpa in 5.18-rc1
> (commit b9e5603c2a3accbadfec570ac501a54431a6bdba) and the fix was done
> according to that change. While backporting, we had to modify the patch
> to use mmu->root_hpa. This might cause merge conflicts in the future.
> 
> * Target file resides in arch/x86/kvm instead of arch/x86/kvm/mmu in
> older kernels.
> 
> Paolo Bonzini (1):
>    KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID
> 
>   arch/x86/kvm/mmu/mmu.c | 6 ++++--
>   1 file changed, 4 insertions(+), 2 deletions(-)
> 

Applied to jammy,impish,focal:linux/master-next. Thanks.

-Stefan