CVE-2022-2153

一、漏洞信息
 漏洞编号：[CVE-2022-2153](https://nvd.nist.gov/vuln/detail/CVE-2022-2153)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,OLK-5.10,openEuler-1.0-LTS,openEuler-22.03-LTS
 CVSS V3.0分值：
  BaseScore：6.5 Medium
  Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
 漏洞简述：
  A flaw was found in the Linux kernel’s KVM when attempting to set a SynIC IRQ. This issue makes it possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service.
 漏洞公开时间：2022-09-01 00:15:00
 漏洞创建时间：2022-06-28 15:09:04
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2022-2153
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| nvd | https://github.com/torvalds/linux/commit/00b5f37189d24ac3ed46cb7f11742094778c46ce |  |
| nvd | https://github.com/torvalds/linux/commit/b1e34d325397a33d97d845e312d7cf2a8b646b44 |  |
| nvd | https://bugzilla.redhat.com/show_bug.cgi?id=2069736 |  |
| nvd | https://www.openwall.com/lists/oss-security/2022/06/22/1 |  |
| nvd | https://github.com/torvalds/linux/commit/7ec37d1cbe17d8189d9562178d8b29167fe1c31a |  |
| nvd | https://lists.debian.org/debian-lts-announce/2022/10/msg00000.html |  |
| nvd | https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html |  |
| redhat | https://access.redhat.com/security/cve/CVE-2022-2153 |  |
| suse_bugzilla | https://patchew.org/linux/20220325132140.25650-1-vkuznets@redhat.com/ | https://bugzilla.suse.com/show_bug.cgi?id=1200788 |
| suse_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2069736 | https://bugzilla.suse.com/show_bug.cgi?id=1200788 |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2153 | https://bugzilla.suse.com/show_bug.cgi?id=1200788 |
| redhat_bugzilla | https://patchew.org/linux/20220325132140.25650-1-vkuznets@redhat.com/ | https://bugzilla.redhat.com/show_bug.cgi?id=2069736 |
| redhat_bugzilla | https://github.com/torvalds/linux/commit/7ec37d1cbe17d8189d9562178d8b29167fe1c31a | https://bugzilla.redhat.com/show_bug.cgi?id=2069736 |
| redhat_bugzilla | https://github.com/torvalds/linux/commit/00b5f37189d24ac3ed46cb7f11742094778c46ce | https://bugzilla.redhat.com/show_bug.cgi?id=2069736 |
| redhat_bugzilla | https://github.com/torvalds/linux/commit/b1e34d325397a33d97d845e312d7cf2a8b646b44 | https://bugzilla.redhat.com/show_bug.cgi?id=2069736 |
| ubuntu | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2153 | https://ubuntu.com/security/CVE-2022-2153 |
| ubuntu | https://access.redhat.com/security/cve/CVE-2022-2153 | https://ubuntu.com/security/CVE-2022-2153 |
| ubuntu | https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit/?h=queue&id=00b5f37189d24ac3ed46cb7f11742094778c46c | https://ubuntu.com/security/CVE-2022-2153 |
| ubuntu | https://www.openwall.com/lists/oss-security/2022/06/22/1 | https://ubuntu.com/security/CVE-2022-2153 |
| ubuntu | https://ubuntu.com/security/notices/USN-5727-1 | https://ubuntu.com/security/CVE-2022-2153 |
| ubuntu | https://ubuntu.com/security/notices/USN-5728-1 | https://ubuntu.com/security/CVE-2022-2153 |
| ubuntu | https://ubuntu.com/security/notices/USN-5727-2 | https://ubuntu.com/security/CVE-2022-2153 |
| ubuntu | https://ubuntu.com/security/notices/USN-5728-2 | https://ubuntu.com/security/CVE-2022-2153 |
| ubuntu | https://ubuntu.com/security/notices/USN-5728-3 | https://ubuntu.com/security/CVE-2022-2153 |
| ubuntu | https://ubuntu.com/security/notices/USN-5774-1 | https://ubuntu.com/security/CVE-2022-2153 |
| ubuntu | https://nvd.nist.gov/vuln/detail/CVE-2022-2153 | https://ubuntu.com/security/CVE-2022-2153 |
| ubuntu | https://launchpad.net/bugs/cve/CVE-2022-2153 | https://ubuntu.com/security/CVE-2022-2153 |
| ubuntu | https://security-tracker.debian.org/tracker/CVE-2022-2153 | https://ubuntu.com/security/CVE-2022-2153 |
| debian |  | https://security-tracker.debian.org/tracker/CVE-2022-2153 |
| oracle |  | https://www.oracle.com/security-alerts/linuxbulletinjul2022.html |
| anolis |  | https://anas.openanolis.cn/cves/detail/CVE-2022-2153 |
| cve_search |  | https://github.com/torvalds/linux/commit/00b5f37189d24ac3ed46cb7f11742094778c46ce |
| cve_search |  | https://github.com/torvalds/linux/commit/b1e34d325397a33d97d845e312d7cf2a8b646b44 |
| cve_search |  | https://bugzilla.redhat.com/show_bug.cgi?id=2069736 |
| cve_search |  | https://www.openwall.com/lists/oss-security/2022/06/22/1 |
| cve_search |  | https://github.com/torvalds/linux/commit/7ec37d1cbe17d8189d9562178d8b29167fe1c31a |
| amazon_linux | https://alas.aws.amazon.com/cve/html/CVE-2022-1679.html | https://alas.aws.amazon.com/AL2/ALAS-2022-1838.html |
| amazon_linux | https://alas.aws.amazon.com/cve/html/CVE-2022-2153.html | https://alas.aws.amazon.com/AL2/ALAS-2022-1838.html |
| amazon_linux | https://alas.aws.amazon.com/cve/html/CVE-2022-2588.html | https://alas.aws.amazon.com/AL2/ALAS-2022-1838.html |
| amazon_linux | https://alas.aws.amazon.com/cve/html/CVE-2022-26373.html | https://alas.aws.amazon.com/AL2/ALAS-2022-1838.html |
| amazon_linux | https://alas.aws.amazon.com/cve/html/CVE-2022-28693.html | https://alas.aws.amazon.com/AL2/ALAS-2022-1838.html |
| amazon_linux | https://alas.aws.amazon.com/cve/html/CVE-2022-29901.html | https://alas.aws.amazon.com/AL2/ALAS-2022-1838.html |
| amazon_linux | https://alas.aws.amazon.com/cve/html/CVE-2022-36946.html | https://alas.aws.amazon.com/AL2/ALAS-2022-1838.html |
| amazon_linux | https://alas.aws.amazon.com/cve/html/CVE-2022-2257.html | https://alas.aws.amazon.com/ALAS-2022-1639.html |
| amazon_linux | https://alas.aws.amazon.com/cve/html/CVE-2022-2264.html | https://alas.aws.amazon.com/ALAS-2022-1639.html |
| amazon_linux | https://alas.aws.amazon.com/cve/html/CVE-2022-2284.html | https://alas.aws.amazon.com/ALAS-2022-1639.html |
| amazon_linux | https://alas.aws.amazon.com/cve/html/CVE-2022-2285.html | https://alas.aws.amazon.com/ALAS-2022-1639.html |
| amazon_linux | https://alas.aws.amazon.com/cve/html/CVE-2022-2286.html | https://alas.aws.amazon.com/ALAS-2022-1639.html |
| amazon_linux | https://alas.aws.amazon.com/cve/html/CVE-2022-2287.html | https://alas.aws.amazon.com/ALAS-2022-1639.html |
| amazon_linux | https://alas.aws.amazon.com/cve/html/CVE-2022-2288.html | https://alas.aws.amazon.com/ALAS-2022-1639.html |
| amazon_linux | https://alas.aws.amazon.com/cve/html/CVE-2022-2289.html | https://alas.aws.amazon.com/ALAS-2022-1639.html |
| amazon_linux | https://alas.aws.amazon.com/cve/html/CVE-2022-2304.html | https://alas.aws.amazon.com/ALAS-2022-1639.html |
| amazon_linux | https://alas.aws.amazon.com/cve/html/CVE-2022-2343.html | https://alas.aws.amazon.com/ALAS-2022-1639.html |
| amazon_linux | https://alas.aws.amazon.com/cve/html/CVE-2022-2344.html | https://alas.aws.amazon.com/ALAS-2022-1639.html |
| amazon_linux | https://alas.aws.amazon.com/cve/html/CVE-2022-2345.html | https://alas.aws.amazon.com/ALAS-2022-1639.html |
| amazon_linux | https://alas.aws.amazon.com/cve/html/CVE-2022-2816.html | https://alas.aws.amazon.com/ALAS-2022-1639.html |
| amazon_linux | https://alas.aws.amazon.com/cve/html/CVE-2022-2817.html | https://alas.aws.amazon.com/ALAS-2022-1639.html |
| amazon_linux | https://alas.aws.amazon.com/cve/html/CVE-2022-2819.html | https://alas.aws.amazon.com/ALAS-2022-1639.html |
| amazon_linux | https://alas.aws.amazon.com/cve/html/CVE-2022-3037.html | https://alas.aws.amazon.com/ALAS-2022-1639.html |
| ubuntu | https://marc.info/?i=49bd403c.4d90.181899b3a76.Coremail.22021034@zju.edu.cn | https://ubuntu.com/security/CVE-2022-2153 |
| nvd | https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html |  |
| suse_bugzilla | https://patchew.org/linux/20220325132140.25650-1-vkuznets@redhat.com/ |  |
| suse_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2069736 |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2153 |  |
| redhat_bugzilla | https://patchew.org/linux/20220325132140.25650-1-vkuznets@redhat.com/ |  |
| redhat_bugzilla | https://github.com/torvalds/linux/commit/7ec37d1cbe17d8189d9562178d8b29167fe1c31a |  |
| redhat_bugzilla | https://github.com/torvalds/linux/commit/00b5f37189d24ac3ed46cb7f11742094778c46ce |  |
| redhat_bugzilla | https://github.com/torvalds/linux/commit/b1e34d325397a33d97d845e312d7cf2a8b646b44 |  |
| redhat_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2069736 |  |
| ubuntu | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2153 |  |
| ubuntu | https://access.redhat.com/security/cve/CVE-2022-2153 |  |
| ubuntu | https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit/?h=queue&id=00b5f37189d24ac3ed46cb7f11742094778c46c |  |
| ubuntu | https://marc.info/?i=49bd403c.4d90.181899b3a76.Coremail.22021034@zju.edu.cn |  |
| ubuntu | https://nvd.nist.gov/vuln/detail/CVE-2022-2153 |  |
| ubuntu | https://launchpad.net/bugs/cve/CVE-2022-2153 |  |
| ubuntu | https://security-tracker.debian.org/tracker/CVE-2022-2153 |  |
| debian | https://security-tracker.debian.org/tracker/CVE-2022-2153 |  |
| oracle | https://www.oracle.com/security-alerts/linuxbulletinjul2022.html |  |
| anolis | https://anas.openanolis.cn/cves/detail/CVE-2022-2153 |  |
| nvd | https://lists.debian.org/debian-lts-announce/2022/10/msg00000.html |  |
| nvd | https://github.com/torvalds/linux/commit/00b5f37189d24ac3ed46cb7f11742094778c46ce |  |
| nvd | https://github.com/torvalds/linux/commit/b1e34d325397a33d97d845e312d7cf2a8b646b44 |  |
| nvd | https://bugzilla.redhat.com/show_bug.cgi?id=2069736 |  |
| nvd | https://www.openwall.com/lists/oss-security/2022/06/22/1 |  |
| nvd | https://github.com/torvalds/linux/commit/7ec37d1cbe17d8189d9562178d8b29167fe1c31a |  |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  其它
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
|  |  | https://github.com/torvalds/linux/commit/00b5f37189d24ac3ed46cb7f11742094778c46ce |  | nvd |
|  |  | https://github.com/torvalds/linux/commit/b1e34d325397a33d97d845e312d7cf2a8b646b44 |  | nvd |
|  |  | https://github.com/torvalds/linux/commit/7ec37d1cbe17d8189d9562178d8b29167fe1c31a |  | nvd |
|  |  | https://github.com/torvalds/linux/commit/7ec37d1cbe17d8189d9562178d8b29167fe1c31a |  | redhat_bugzilla |
|  |  | https://github.com/torvalds/linux/commit/00b5f37189d24ac3ed46cb7f11742094778c46ce |  | redhat_bugzilla |
|  |  | https://github.com/torvalds/linux/commit/b1e34d325397a33d97d845e312d7cf2a8b646b44 |  | redhat_bugzilla |
| linux_kernel | 4.14.291 | https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=bcf0a450fbaabe7e14d71f885525805b4f86e855 | https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=1e08ec4a130e2745d96df169e67c58df98a07311 | linuxkernelcves |
| linux_kernel | 4.19.256 | https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=b8127a0fd21d70ab42d8177f8bb97df74f503cc1 | https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=1e08ec4a130e2745d96df169e67c58df98a07311 | linuxkernelcves |
| linux_kernel | 5.10.137 | https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=ac7de8c2ba1292856fdd4a4c0764669b9607cf0a | https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=1e08ec4a130e2745d96df169e67c58df98a07311 | linuxkernelcves |
| linux_kernel | 5.15.33 | https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=0e5dbc0540baa89faf4c04ccc7e9c4fe6b1d7bf4 | https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=1e08ec4a130e2745d96df169e67c58df98a07311 | linuxkernelcves |
| linux_kernel | 5.16.19 | https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=9e38128f8bd1d4f2244d8a393bc5dc204a99a541 | https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=1e08ec4a130e2745d96df169e67c58df98a07311 | linuxkernelcves |
| linux_kernel | 5.17.2 | https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=9fa2b94443ff41cdecdff6f4d4324d83af01089a | https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=1e08ec4a130e2745d96df169e67c58df98a07311 | linuxkernelcves |
| linux_kernel | 5.4.211 | https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=8cdba919acefdd6fea5dd2b77a119f54fb88ce11 | https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=1e08ec4a130e2745d96df169e67c58df98a07311 | linuxkernelcves |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
          No description is available for this CVE.    
 openEuler评分：
  6.5
 Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
 受影响版本排查(受影响/不受影响)：
  1.openEuler-22.03-LTS:受影响
2.openEuler-20.03-LTS-SP1(4.19.90):受影响
3.openEuler-20.03-LTS-SP3(4.19.90):受影响

修复是否涉及abi变化(是/否)：
  1.openEuler-22.03-LTS:否
2.openEuler-20.03-LTS-SP1(4.19.90):否
3.openEuler-20.03-LTS-SP3(4.19.90):否

三、漏洞修复
安全公告链接：https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2022-1746

```c
// 初始化 apic 的流程，出问题时 apic 没有初始化
kvm_vm_compat_ioctl
  kvm_vm_ioctl
    kvm_vm_ioctl_create_vcpu
      kvm_arch_vcpu_create
        kvm_create_lapic
          vcpu->arch.apic = apic
```

根因在于 synic->active == 0 时，执行 kvm_make_request(KVM_REQ_HV_STIMER，...)
```c
触发 stimer 流程，设置 KVM_REQ_HV_STIMER 标记流程如下：
kvm_set_msr_common
  kvm_hv_set_msr_common
    kvm_hv_set_msr
      synic_set_msr(data)
        if (!synic->active && (!host || data)) // 修复后： active == 0 && data != 0 时不向下执行（第三个补丁）
        if (!synic->active) // 修复后： activate == 0 时返回（第三个补丁）
        kvm_hv_notify_acked_sint
          stimer_mark_pending(stimer, false)
            kvm_make_request(KVM_REQ_HV_STIMER, ...) // 设置标志位，会触发 kvm_hv_process_stimers()
      stimer_set_config(config = data)
        if (!synic->active && (!host || config)) // 修复后： active == 0 && config != 0 时不向下执行（第三个补丁）
        stimer_mark_pending(stimer, false)
          kvm_make_request(KVM_REQ_HV_STIMER, ...) // 设置标志位，会触发 kvm_hv_process_stimers()
      stimer_set_count(count = data)
        if (!synic->active && (!host || count)) // 修复后： active == 0 && count != 0 时不向下执行（第三个补丁）
        stimer->config.enable = 1; 
        stimer_mark_pending(stimer, false)
          kvm_make_request(KVM_REQ_HV_STIMER, ...) // 设置标志位，会触发 kvm_hv_process_stimers()
```

执行 kvm_make_request(KVM_REQ_HV_STIMER，...)后，会触发kvm_hv_process_stimers()
```c
vcpu_run
  vcpu_enter_guest
    kvm_check_request(KVM_REQ_HV_STIMER, ...)
      kvm_test_request
    kvm_hv_process_stimers
      stimer_expiration
        stimer_send_msg 
          synic_deliver_msg 
            synic_set_irq
              lapic_in_kernel
                return vcpu->arch.apic
              return -EINVAL // 修复后： vcpu->arch.apic 为 NULL 时返回 错误值（第一个补丁）
              kvm_irq_delivery_to_apic(src = vcpu->arch.apic) // vcpu->arch.apic 为 NULL
                kvm_irq_delivery_to_apic_fast
                  if (KVM_BUG_ON(!src, kvm))
                  return true // 修复后： src 为 NULL 时不向下执行（第二个补丁）
                  kvm_apic_set_irq(src->vcpu, ...) // src 为 NULL
```

src-openEuler/kernel

Content Risk Flag

Comments (14)

src-openEuler/kernel .gitee-modal { width: 500px !important; }

Content Risk Flag

CVE-2022-2153

Comments (14)

Search

src-openEuler/kernel