CVE-2011-4622

Published: 27 January 2012

The create_pit_timer function in arch/x86/kvm/i8254.c in KVM 83, and possibly other versions, does not properly handle when Programmable Interval Timer (PIT) interrupt requests (IRQs) when a virtual interrupt controller (irqchip) is not available, which allows local users to cause a denial of service (NULL pointer dereference) by starting a timer. BUG: unable to handle kernel NULL pointer dereference at 0000000000000128 IP: [<ffffffffa10f6280>] kvm_set_irq+0x30/0x170 [kvm] ... Call Trace: [<ffffffffa11228c1>] pit_do_work+0x51/0xd0 [kvm] [<ffffffff81071431>] process_one_work+0x111/0x4d0 [<ffffffff81071bb2>] worker_thread+0x152/0x340 [<ffffffff81075c8e>] kthread+0x7e/0x90 [<ffffffff815a4474>] kernel_thread_helper+0x4/0x10

From the Ubuntu security team

A flaw was found in KVM's Programmable Interval Timer (PIT). When a virtual interrupt control is not available a local user could use this to cause a denial of service by starting a timer.

Status

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4622
• http://permalink.gmane.org/gmane.comp.emulators.kvm.devel/83564
• https://ubuntu.com/security/notices/USN-1361-1
• https://ubuntu.com/security/notices/USN-1362-1
• https://ubuntu.com/security/notices/USN-1363-1
• https://ubuntu.com/security/notices/USN-1384-1
• https://ubuntu.com/security/notices/USN-1386-1
• https://ubuntu.com/security/notices/USN-1387-1
• https://ubuntu.com/security/notices/USN-1388-1
• https://ubuntu.com/security/notices/USN-1389-1
• NVD
• Launchpad
• Debian

Bugs

• https://bugzilla.redhat.com/show_bug.cgi?id=769721
• https://launchpad.net/bugs/911303