CVE-2022-1263: Exploring the NULL Pointer Dereference Issue in KVM with Dirty Ring Support Enabled

In this long-read post, we will delve into the specifics of a recently-disclosed security vulnerability in the Kernel-based Virtual Machine (KVM) subsystem of the Linux kernel. The vulnerability, identified as CVE-2022-1263, is a NULL pointer dereference issue that occurs when releasing a Virtual CPU (vCPU) with dirty ring support enabled. An unprivileged local attacker on the host can exploit this flaw to cause a kernel oops condition, leading to a denial of service (DoS).

We will provide an overview of the issue, examine the code snippet involved, and discuss the exploit details. Additionally, we will share relevant links to original references for further reading on this vulnerability.

Overview

KVM is a popular open-source virtualization solution built into the Linux kernel. It provides hardware-assisted virtualization capabilities for running multiple, isolated virtual machines (VMs) on a single physical host. The vCPU is a virtual processor allocated to each VM, offering an abstraction of the physical CPU resources.

Dirty ring support is a KVM feature that allows for efficient tracking and processing of the so-called "dirty" memory pages – memory pages in a guest VM that have been modified since the last checkpoint. This feature is crucial for maintaining synchronization and consistency across live migration scenarios, where a running VM is moved from one host to another without interruption.

CVE-2022-1263 arises when KVM attempts to release a vCPU with dirty ring support enabled. A NULL pointer dereference issue occurs, allowing an unprivileged local attacker to issue specific ioctl calls that trigger a kernel oops condition, ultimately causing a DoS event.

Code Snippet

The code snippet containing the vulnerability can be found in the 'kvm_vcpu_release()' function within the 'virt/kvm/kvm_main.c' file in the Linux kernel source code:

static void kvm_vcpu_release(struct kref *kref)
{
	struct kvm_vcpu *vcpu = container_of(kref, struct kvm_vcpu, refcount);

	put_pid(vcpu->pid);
	kvm_arch_vcpu_destroy(vcpu);
	kvm_free_vcpus(vcpu);
	kfree(vcpu->dirty_ring);
	kfree(vcpu);
}

The issue lies in the 'kfree(vcpu->dirty_ring)' line, where a NULL pointer dereference can occur, allowing an attacker to exploit this flaw.

Exploit Details

An attacker can exploit CVE-2022-1263 by issuing specific ioctl calls to the KVM subsystem. Ioctl calls are used to interact with device drivers and kernel subsystems, facilitating the control and manipulation of various kernel functions.

In this case, an unprivileged local attacker could issue the appropriate ioctl calls to create a vCPU with dirty ring support enabled and then use another ioctl call to release the vCPU. This specific sequence of calls can trigger the NULL pointer dereference issue described above, causing a kernel oops condition that will eventually lead to a DoS event.

For further insights into CVE-2022-1263, consult the following sources

1. Official CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1263
2. Linux Kernel Mailing List (LKML) Discussion: https://lore.kernel.org/lkml/20210727225529.299560-1-likun.fly@bytedance.com/
3. Patch Submission: https://lore.kernel.org/lkml/20210727225529.299560-2-likun.fly@bytedance.com/
4. KVM Documentation: https://www.kernel.org/doc/html/latest/virt/kvm/index.html

Conclusion

CVE-2022-1263 highlights the importance of thoroughly scrutinizing and reviewing not just complex, but also seemingly simple, code snippets in crucial kernel subsystems. It is essential for developers, security researchers, and system administrators to stay informed about such vulnerabilities and apply patches and mitigation strategies when available. In the case of CVE-2022-1263, a patch has been submitted to address the issue, and Linux kernel maintainers are expected to incorporate the fix in the upcoming versions of the kernel.

Timeline

Published on: 08/31/2022 16:15:00 UTC
Last modified on: 09/07/2022 13:11:00 UTC