Linux Kernel is impacted by two denial-of-service (DoS) vulnerabilities and the issues affect Linux kernel 4.19.2 and previous versions. This was discovered by researcher Wanpeng Li.
The vulnerabilities are rated as Medium severity and are NULL pointer deference issues which can be exploited by a local attacker to activate a DoS condition.
The first vulnerability dubbed as CVE-2018-19406 is found in the Linux kernel function called kvm_pv_send_ipi implemented in arch/x86/kvm/lapic.c.
This flaw can be exploited by a local attacker by using crafted system calls to reach a situation where the apic map is not initialized.
The issue is triggered because the Advanced Programmable Interrupt Controller (APIC) map fails to initialize correctly. The reason is that the apic map has not yet been initialized, the testcase triggers pv_send_ipi interface by vmcall which results in kvm->arch.apic_map is dereferenced.
The second vulnerability which has been dubbed as CVE-2018-19407 is found in the Linux Kernel function vcpu_scan_ioapic that is defined in arch/x86/kvm/x86.c.
The flaw can be activated when I/O Advanced Programmable Interrupt Controller (I/O APIC) does not initialize correctly. This can be exploited by a local attacker using crafted system calls that reach a situation where ioapic is uninitialized.
The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr and triggers scan ioapic logic to load synic vectors into EOI exit bitmap. However, irqchip is not initialized by this simple testcase, ioapic/apic objects should not be accessed.
Unofficial patches for both flaws were released in the unofficial Linux Kernel Mailing List (LKML) archive, but haven’t been pushed upstream.