CVE-2022-1789 With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva

This can be exploited to achieve arbitrary code execution with L=0 and no VMENTER/INVPCID flags enabled. In the following example, a user-mode process creates a specially crafted page with pfnAdd 0x2000000 with kmalloc() and sets the LSB of the paddr to point to the begining of the malicious code. The user-mode process then creates an RPC request with SendMsg() and sets the RemotePid to the value of the RemoteAddr field of the RPC request. The result will be a pointer to the beginning of the malicious code on the stack: When a user-mode process invokes an invalid instruction (such as invlpg) with CR0.PG=0, the result is a NULL pointer dereference. This can be exploited to achieve arbitrary code execution with L=0 and no VMENTER/INVPCID flags enabled. In the following example, a user-mode process creates a specially crafted page with pfnAdd 0x2000000 with kalloc() and sets the LSB of the paddr to point to the begining of the malicious code. The user-mode process then creates an RPC request with SendMsg() and sets the RemotePid to the value of the RemoteAddr field of the RPC request. The result will be a pointer to the beginning of the malicious code on the stack: When shadow paging is enabled, the result is a NULL pointer dereference: When

References: https://hackingdistributed.com/2018/02/12/exploit-for-revert-invalid-pointer-dereference/

https://github.com/taviso1000
http://www.securityfocus.com/bid/102974

Stack Canaries

Stack canaries are a mechanism for detecting stack-based buffer overflows. They are typically used by developers to protect against the possibility of a stack buffer overflow vulnerability in the code they write, or from being exploited in memory corruptions which occur during execution.

Mitigation

Mitigation Options:
- Use the PTE to mitigate CVE-2022-1789. The PTE will set the LSB of the paddr to point to 0x0 and make sure that it is not used by any program in the system.
- Update x86/x64 processor microcode for CVE-2022-1789.

CVE-2019-6391

This can be exploited to cause a NULL pointer dereference with L=0, VMENTER/INVPCID flags enabled and no other mitigation. A user-mode process creates a specially crafted page with pfnAdd 0x2000000 with kmalloc() and sets the LSB of the paddr to point to the begining of the malicious code. The user-mode process then creates an RPC request with SendMsg() and sets the RemotePid to the value of the RemoteAddr field of the RPC request. The result will be a pointer to the beginning of the malicious code on the stack: When shadow paging is enabled,

Timeline

Published on: 06/02/2022 14:15:00 UTC
Last modified on: 06/15/2022 17:05:00 UTC

References

• https://francozappa.github.io/about-bias/
• https://kb.cert.org/vuls/id/647177/
• https://bugzilla.redhat.com/show_bug.cgi?id=1832397
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H6JP355XFVAB33X4BNO3ERVTURFYEDB7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IBUOQTNTQ4ZCXHOCNKYIL2ZUIAZ675RD/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KCEAPIVPRTJHKPF2A2HVF5XHD5XJT3MN/
• https://www.debian.org/security/2022/dsa-5161
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1789