CVE-2022-1789 With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva

CVE-2022-1789 With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva

This can be exploited to achieve arbitrary code execution with L=0 and no VMENTER/INVPCID flags enabled. In the following example, a user-mode process creates a specially crafted page with pfnAdd 0x2000000 with kmalloc() and sets the LSB of the paddr to point to the begining of the malicious code. The user-mode process then creates an RPC request with SendMsg() and sets the RemotePid to the value of the RemoteAddr field of the RPC request. The result will be a pointer to the beginning of the malicious code on the stack: When a user-mode process invokes an invalid instruction (such as invlpg) with CR0.PG=0, the result is a NULL pointer dereference. This can be exploited to achieve arbitrary code execution with L=0 and no VMENTER/INVPCID flags enabled. In the following example, a user-mode process creates a specially crafted page with pfnAdd 0x2000000 with kalloc() and sets the LSB of the paddr to point to the begining of the malicious code. The user-mode process then creates an RPC request with SendMsg() and sets the RemotePid to the value of the RemoteAddr field of the RPC request. The result will be a pointer to the beginning of the malicious code on the stack: When shadow paging is enabled, the result is a NULL pointer dereference: When

References: https://hackingdistributed.com/2018/02/12/exploit-for-revert-invalid-pointer-dereference/

https://github.com/taviso1000
http://www.securityfocus.com/bid/102974

Stack Canaries

Stack canaries are a mechanism for detecting stack-based buffer overflows. They are typically used by developers to protect against the possibility of a stack buffer overflow vulnerability in the code they write, or from being exploited in memory corruptions which occur during execution.

Mitigation

Mitigation Options:
- Use the PTE to mitigate CVE-2022-1789. The PTE will set the LSB of the paddr to point to 0x0 and make sure that it is not used by any program in the system.
- Update x86/x64 processor microcode for CVE-2022-1789.

CVE-2019-6391

This can be exploited to cause a NULL pointer dereference with L=0, VMENTER/INVPCID flags enabled and no other mitigation. A user-mode process creates a specially crafted page with pfnAdd 0x2000000 with kmalloc() and sets the LSB of the paddr to point to the begining of the malicious code. The user-mode process then creates an RPC request with SendMsg() and sets the RemotePid to the value of the RemoteAddr field of the RPC request. The result will be a pointer to the beginning of the malicious code on the stack: When shadow paging is enabled,

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe