CVE-2021-47217 x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails

2024-04-1019:01:56

Linux

github.com

linux kernel vulnerability

x86 hyperv

null dereference

hyper-v setup

tsc change callback

AI Score

6.2

Confidence

Low

EPSS

Percentile

15.5%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

In the Linux kernel, the following vulnerability has been resolved:

x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails

Check for a valid hv_vp_index array prior to derefencing hv_vp_index when
setting Hyper-V’s TSC change callback. If Hyper-V setup failed in
hyperv_init(), the kernel will still report that it’s running under
Hyper-V, but will have silently disabled nearly all functionality.

BUG: kernel NULL pointer dereference, address: 0000000000000010
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] SMP
CPU: 4 PID: 1 Comm: swapper/0 Not tainted 5.15.0-rc2+ #75
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:set_hv_tscchange_cb+0x15/0xa0
Code: <8b> 04 82 8b 15 12 17 85 01 48 c1 e0 20 48 0d ee 00 01 00 f6 c6 08
…
Call Trace:
kvm_arch_init+0x17c/0x280
kvm_init+0x31/0x330
vmx_init+0xba/0x13a
do_one_initcall+0x41/0x1c0
kernel_init_freeable+0x1f2/0x23b
kernel_init+0x16/0x120
ret_from_fork+0x22/0x30

CNA Affected

[
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "93286261de1b",
        "lessThan": "b20ec58f8a6f",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "93286261de1b",
        "lessThan": "b0e44dfb4e4c",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "93286261de1b",
        "lessThan": "9c177eee116c",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "93286261de1b",
        "lessThan": "8823ea27fff6",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "93286261de1b",
        "lessThan": "daf972118c51",
        "versionType": "git"
      }
    ],
    "programFiles": [
      "arch/x86/hyperv/hv_init.c"
    ],
    "defaultStatus": "unaffected"
  },
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "4.16"
      },
      {
        "status": "unaffected",
        "version": "0",
        "lessThan": "4.16",
        "versionType": "custom"
      },
      {
        "status": "unaffected",
        "version": "4.19.218",
        "versionType": "custom",
        "lessThanOrEqual": "4.19.*"
      },
      {
        "status": "unaffected",
        "version": "5.4.162",
        "versionType": "custom",
        "lessThanOrEqual": "5.4.*"
      },
      {
        "status": "unaffected",
        "version": "5.10.82",
        "versionType": "custom",
        "lessThanOrEqual": "5.10.*"
      },
      {
        "status": "unaffected",
        "version": "5.15.5",
        "versionType": "custom",
        "lessThanOrEqual": "5.15.*"
      },
      {
        "status": "unaffected",
        "version": "5.16",
        "versionType": "original_commit_for_fix",
        "lessThanOrEqual": "*"
      }
    ],
    "programFiles": [
      "arch/x86/hyperv/hv_init.c"
    ],
    "defaultStatus": "affected"
  }
]