CVE-2018-19406, CVE-2018-19407: Two DoS vulnerabilities on Linux Kernel

Wanpeng Li recently discovered two denials of service (DOS) in the Linux Kernel, allowing local attackers to use a null pointer to reference a bug to trigger a DOS state. The first vulnerability, numbered CVE-2018-19406 in Common Vulnerabilities and Exposures, exists in the kvm_pv_send_ipi function of the Linux kernel, which is defined in the arch/x86/kvm/lapic.c file.

The CVE-2018-19406 vulnerability exists in Linux Kernel 4.19.2, allowing the attacker to use elaborate system calls on unrepaired devices to achieve DOS status. The cause of this problem is caused by the failure of the Advanced Programmable Interrupt Controller (APIC) to initialize correctly.

Wanpeng Li wrote:

“The reason is that the apic map has not yet been initialized, the testcase triggers pv_send_ipi interface by vmcall which results in kvm->arch.apic_map is dereferenced. This patch fixes it by checking whether or not apic map is
NULL and bailing out immediately if that is the case.”

The second vulnerability discovered by Wanpeng Li is limited to situations where an attacker can physically access the device. This problem is numbered CVE-2018-19407 in the NATIONAL VULNERABILITY DATABASE and appears in the vcpu_scan_ioapic function in arch/x86/kvm/x86.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized.