Vigil@nce - Linux kernel: NULL pointer dereference via the machine instruction INVEPT
June 2017 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A privileged attacker, inside a guest system, can force a NULL
pointer to be dereferenced by the Linux host kernel via the
machine instruction INVEPT, in order to trigger a denial of
service against the host system.
Impacted products: Linux, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 25/04/2017.
DESCRIPTION OF THE VULNERABILITY
The KVM subsystem manages emulation of privileged machine
instructions for guest systems.
It uses a data structure to manage VMX contexts. However, the
function handle_invept() does not check whether a pointer field is
NULL in this structure before using it.
A privileged attacker, inside a guest system, can therefore force
a NULL pointer to be dereferenced by the Linux host kernel via the
machine instruction INVEPT, in order to trigger a denial of
service against the host system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN