Vigil@nce - Linux kernel: NULL pointer dereference via kvm_apic_has_events
July 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can force a NULL pointer to be dereferenced in
"kvm_apic_has_events()" of the Linux kernel, in order to trigger a
denial of service.
Impacted products: Fedora, Linux
Creation date: 29/06/2015
DESCRIPTION OF THE VULNERABILITY
The noyau Linux product offers a virtualization layer: KVM.
A KVM virtual machine may have an interrupt controller. In such a
case, the emulation of which is partially implemented by the
source file "arch/x86/kvm/lapic.h". However, the function
"kvm_apic_has_events", defined in this file, it does not check
whether a pointer is NULL, before using it.
An attacker can therefore force a NULL pointer to be dereferenced
in "kvm_apic_has_events()" of the Linux kernel, in order to
trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN