CVE-2022-1789
published 2022-06-02CVE-2022-1789: With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the invlpg callback is not…
medium6.8CVSS 3.1
AVPACLPRNUINSUCHIHAH
With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL pointer dereference.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 5.17.11-1 (bookworm) | linux 5.17.11-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| linux | linux_kernel | < 5.8 | 5.8 |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 5.10.120-1 | 5.10.120-1 |
| linux | linux_kernel | >= 0 < 5.17.11-1 | 5.17.11-1 |
| linux | linux_kernel | >= 0 < 5.17.11-1 | 5.17.11-1 |
| linux | linux_kernel | >= 0 < 5.17.11-1 | 5.17.11-1 |
| linux | linux_kernel | >= 0 < 5.4.0-122.138 | 5.4.0-122.138 |
| linux | linux_kernel | >= 0 < 5.15.0-41.44 | 5.15.0-41.44 |
| redhat | enterprise_linux | — | — |
CVSS provenance
nvdv3.16.8MEDIUMCVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
cisa8.8HIGH
Ubuntu
Linux kernel (Intel IoTG) vulnerabilities
vendor_ubuntu·2022-08-10·CVSS 7.8
CVE-2022-1734 [HIGH] Linux kernel (Intel IoTG) vulnerabilities
Title: Linux kernel (Intel IoTG) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Zhenpeng Lin discovered that the network packet scheduler implementation in
the Linux kernel did not properly remove all references to a route filter
before freeing it in some situations. A local attacker could use this to
cause a denial of service (system crash) or execute arbitrary code.
(CVE-2022-2588)
It was discovered that the netfilter subsystem of the Linux kernel did not
prevent one nft object from referencing an nft set in another nft table,
leading to a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or execute arbitrary code.
(CVE-2022-2586)
It was discovered that the implementation of POSIX timers in the
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2022-07-28·CVSS 5.5
CVE-2022-1199 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the implementation of the 6pack and mkiss protocols
in the Linux kernel did not handle detach events properly in some
situations, leading to a use-after-free vulnerability. A local attacker
could possibly use this to cause a denial of service (system crash).
(CVE-2022-1195)
Duoming Zhou discovered that the AX.25 amateur radio protocol
implementation in the Linux kernel did not handle detach events properly in
some situations. A local attacker could possibly use this to cause a denial
of service (system crash) or execute arbitrary code. (CVE-2022-1199)
Duoming Zhou discovered race conditions in the AX.25 amateur radio protocol
implementation in the Linux kernel dur
Ubuntu
Linux kernel (OEM) vulnerabilities
vendor_ubuntu·2022-07-21·CVSS 7.8
CVE-2022-2078 [HIGH] Linux kernel (OEM) vulnerabilities
Title: Linux kernel (OEM) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Atheros ath9k wireless device driver in the
Linux kernel did not properly handle some error conditions, leading to a
use-after-free vulnerability. A local attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-1679)
Yongkang Jia discovered that the KVM hypervisor implementation in the Linux
kernel did not properly handle guest TLB mapping invalidation requests in
some situations. An attacker in a guest VM could use this to cause a denial
of service (system crash) in the host OS. (CVE-2022-1789)
Qiuhao Li, Gaoning Pan, and Yongkang Jia discovered that the KVM hypervisor
implementation in the Linux
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2022-07-14·CVSS 7.8
CVE-2022-1975 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the eBPF implementation in the Linux kernel did not
properly prevent writes to kernel objects in BPF_BTF_LOAD commands. A
privileged local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2022-0500)
It was discovered that the Marvell NFC device driver implementation in the
Linux kernel did not properly perform memory cleanup operations in some
situations, leading to a use-after-free vulnerability. A local attacker
could possibly use this to cause a denial of service (system crash) or
execute arbitrary code. (CVE-2022-1734)
Yongkang Jia discovered that the KVM hypervisor implementation in the Linux
kernel
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2022-07-13·CVSS 5.5
CVE-2022-1199 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the implementation of the 6pack and mkiss protocols
in the Linux kernel did not handle detach events properly in some
situations, leading to a use-after-free vulnerability. A local attacker
could possibly use this to cause a denial of service (system crash).
(CVE-2022-1195)
Duoming Zhou discovered that the AX.25 amateur radio protocol
implementation in the Linux kernel did not handle detach events properly in
some situations. A local attacker could possibly use this to cause a denial
of service (system crash) or execute arbitrary code. (CVE-2022-1199)
Duoming Zhou discovered race conditions in the AX.25 amateur radio protocol
implementation in the Linux kernel dur
Red Hat
kernel: KVM: NULL pointer dereference in kvm_mmu_invpcid_gva
vendor_redhat·2022-05-25·CVSS 6.8
CVE-2022-1789 [MEDIUM] CWE-476 kernel: KVM: NULL pointer dereference in kvm_mmu_invpcid_gva
kernel: KVM: NULL pointer dereference in kvm_mmu_invpcid_gva
With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL pointer dereference.
A flaw was found in KVM. With shadow paging enabled if INVPCID is executed with CR0.PG=0, the invlpg callback is not set, and the result is a NULL pointer dereference. This flaw allows a guest user to cause a kernel oops condition on the host, resulting in a denial of service.
Statement: Red Hat Enterprise Linux 6 and 7 did not provide support for INVPCID in shadow paging mode and therefore are not affected by this issue.
Mitigation: Mitigation for this issue is either not available or the currently available options don
CISA
Apple Multiple Products Type Confusion Vulnerability
cisa·2022-05-04·CVSS 8.8
CVE-2021-1789 [HIGH] CWE-843 Apple Multiple Products Type Confusion Vulnerability
Vulnerability: Apple Multiple Products Type Confusion Vulnerability
Affected: Apple Multiple Products
A type confusion issue affecting multiple Apple products allows processing of maliciously crafted web content, leading to arbitrary code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-1789
Remediation Due Date: 2022-05-25
Debian
CVE-2022-1789: linux - With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu...
vendor_debian·2022·CVSS 6.8
CVE-2022-1789 [MEDIUM] CVE-2022-1789: linux - With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu...
With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL pointer dereference.
Scope: local
bookworm: resolved (fixed in 5.17.11-1)
bullseye: resolved (fixed in 5.10.120-1)
forky: resolved (fixed in 5.17.11-1)
sid: resolved (fixed in 5.17.11-1)
trixie: resolved (fixed in 5.17.11-1)
OSV
linux-intel-iotg vulnerabilities
osv·2022-08-10·CVSS 7.8
CVE-2022-2588 [HIGH] linux-intel-iotg vulnerabilities
linux-intel-iotg vulnerabilities
Zhenpeng Lin discovered that the network packet scheduler implementation in
the Linux kernel did not properly remove all references to a route filter
before freeing it in some situations. A local attacker could use this to
cause a denial of service (system crash) or execute arbitrary code.
(CVE-2022-2588)
It was discovered that the netfilter subsystem of the Linux kernel did not
prevent one nft object from referencing an nft set in another nft table,
leading to a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or execute arbitrary code.
(CVE-2022-2586)
It was discovered that the implementation of POSIX timers in the Linux
kernel did not properly clean up timers in some situations. A local
attacker
OSV
linux-bluefield, linux-gcp-5.4, linux-gke-5.4 vulnerabilities
osv·2022-07-28·CVSS 5.5
CVE-2022-1195 [MEDIUM] linux-bluefield, linux-gcp-5.4, linux-gke-5.4 vulnerabilities
linux-bluefield, linux-gcp-5.4, linux-gke-5.4 vulnerabilities
It was discovered that the implementation of the 6pack and mkiss protocols
in the Linux kernel did not handle detach events properly in some
situations, leading to a use-after-free vulnerability. A local attacker
could possibly use this to cause a denial of service (system crash).
(CVE-2022-1195)
Duoming Zhou discovered that the AX.25 amateur radio protocol
implementation in the Linux kernel did not handle detach events properly in
some situations. A local attacker could possibly use this to cause a denial
of service (system crash) or execute arbitrary code. (CVE-2022-1199)
Duoming Zhou discovered race conditions in the AX.25 amateur radio protocol
implementation in the Linux kernel during device detach operations. A local
at
OSV
linux-oem-5.17 vulnerabilities
osv·2022-07-21·CVSS 7.8
CVE-2022-1679 [HIGH] linux-oem-5.17 vulnerabilities
linux-oem-5.17 vulnerabilities
It was discovered that the Atheros ath9k wireless device driver in the
Linux kernel did not properly handle some error conditions, leading to a
use-after-free vulnerability. A local attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-1679)
Yongkang Jia discovered that the KVM hypervisor implementation in the Linux
kernel did not properly handle guest TLB mapping invalidation requests in
some situations. An attacker in a guest VM could use this to cause a denial
of service (system crash) in the host OS. (CVE-2022-1789)
Qiuhao Li, Gaoning Pan, and Yongkang Jia discovered that the KVM hypervisor
implementation in the Linux kernel did not properly handle an illegal
instruction in a guest, resulting
OSV
linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi vulnerabilities
osv·2022-07-14·CVSS 7.8
CVE-2022-0500 [HIGH] linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi vulnerabilities
linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi vulnerabilities
It was discovered that the eBPF implementation in the Linux kernel did not
properly prevent writes to kernel objects in BPF_BTF_LOAD commands. A
privileged local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2022-0500)
It was discovered that the Marvell NFC device driver implementation in the
Linux kernel did not properly perform memory cleanup operations in some
situations, leading to a use-after-free vulnerability. A local attacker
could possibly use this to cause a denial of service (system crash) or
execute arbitrary code. (CVE-2022-1734)
Yongkang Jia discovered that the KVM hypervisor im
OSV
linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-gke, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, li
osv·2022-07-13·CVSS 5.5
[MEDIUM] linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-gke, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, li
linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-gke, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4 vulnerabilities
It was discovered that the implementation of the 6pack and mkiss protocols
in the Linux kernel did not handle detach events properly in some
situations, leading to a use-after-free vulnerability. A local attacker
could possibly use this to cause a denial of service (system crash).
(CVE-2022-1195)
Duoming Zhou discovered that the AX.25 amateur radio protocol
implementation in the Linux kernel did not handle detach events properly in
some situations. A local attacker could possibly use this to cause a denial
of service (system crash)
GHSA
GHSA-v8pq-23qj-q7x7: With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva
ghsa_unreviewed·2022-06-03
CVE-2022-1789 [MEDIUM] CWE-476 GHSA-v8pq-23qj-q7x7: With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva
With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL pointer dereference.
OSV
CVE-2022-1789: With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva
osv·2022-06-02·CVSS 6.8
CVE-2022-1789 [MEDIUM] CVE-2022-1789: With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva
With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL pointer dereference.
Kernel
KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID
kernel_security·2022-05-20·CVSS 6.8
CVE-2022-1789 [MEDIUM] KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID
KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID
With shadow paging enabled, the INVPCID instruction results in a call
to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the
invlpg callback is not set and the result is a NULL pointer dereference.
Fix it trivially by checking for mmu->invlpg before every call.
There are other possibilities:
- check for CR0.PG, because KVM (like all Intel processors after P5)
flushes guest TLB on CR0.PG changes so that INVPCID/INVLPG are a
nop with paging disabled
- check for EFER.LMA, because KVM syncs and flushes when switching
MMU contexts outside of 64-bit mode
All of these are tricky, go for the simple solution. This is CVE-2022-1789.
Reported-by: Yongkang Jia
Cc: [email protected]
Signed-off-by: Paolo Bonzini
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://bugzilla.redhat.com/show_bug.cgi?id=1832397https://francozappa.github.io/about-bias/https://kb.cert.org/vuls/id/647177/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H6JP355XFVAB33X4BNO3ERVTURFYEDB7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IBUOQTNTQ4ZCXHOCNKYIL2ZUIAZ675RD/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KCEAPIVPRTJHKPF2A2HVF5XHD5XJT3MN/https://www.debian.org/security/2022/dsa-5161https://bugzilla.redhat.com/show_bug.cgi?id=1832397https://francozappa.github.io/about-bias/https://kb.cert.org/vuls/id/647177/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H6JP355XFVAB33X4BNO3ERVTURFYEDB7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IBUOQTNTQ4ZCXHOCNKYIL2ZUIAZ675RD/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KCEAPIVPRTJHKPF2A2HVF5XHD5XJT3MN/https://www.debian.org/security/2022/dsa-5161
2022-06-02
Published