CVE-2018-16882

A use-after-free issue was found in the way the Linux kernel's KVM hypervisor processed posted interrupts when nested(=1) virtualization is enabled. In nested_get_vmcs12_pages(), in case of an error while processing posted interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc' descriptor address, which is later used in pi_test_and_clear_on(). A guest user/process could use this flaw to crash the host kernel resulting in DoS or potentially gain privileged access to a system. Kernel versions before 4.14.91 and before 4.19.13 are vulnerable.

From the Ubuntu Security Team

Cfir Cohen discovered that a use-after-free vulnerability existed in the KVM implementation of the Linux kernel, when handling interrupts in environments where nested virtualization is in use (nested KVM virtualization is not enabled by default in Ubuntu kernels). A local attacker in a guest VM could possibly use this to gain administrative privileges in a host machine.

Read the notes from the security team

• How can I get the fixes?
• What do statuses mean?
• Patch details

Notes

References

• MITRE
• NVD
• Launchpad
• Debian

Related Ubuntu Security Notices (USN)

• USN-3878-1
• Linux kernel vulnerabilities
• 4 February 2019
• USN-3871-4
• Linux kernel (HWE) vulnerabilities
• 4 February 2019
• USN-3871-1
• Linux kernel vulnerabilities
• 29 January 2019
• USN-3871-5
• Linux kernel (Azure) vulnerabilities
• 7 February 2019
• USN-3872-1
• Linux kernel (HWE) vulnerabilities
• 29 January 2019
• USN-3878-2
• Linux kernel (Azure) vulnerabilities
• 7 February 2019
• USN-3871-3
• Linux kernel (AWS, GCP, KVM, OEM, Raspberry Pi 2) vulnerabilities
• 4 February 2019

Other references

• https://www.openwall.com/lists/oss-security/2018/12/18/6
• https://marc.info/?l=kvm&m=154514994222809&w=2
• https://www.cve.org/CVERecord?id=CVE-2018-16882