Your submission was sent successfully! Close

CVE-2018-16882

Published: 3 January 2019

A use-after-free issue was found in the way the Linux kernel's KVM hypervisor processed posted interrupts when nested(=1) virtualization is enabled. In nested_get_vmcs12_pages(), in case of an error while processing posted interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc' descriptor address, which is later used in pi_test_and_clear_on(). A guest user/process could use this flaw to crash the host kernel resulting in DoS or potentially gain privileged access to a system. Kernel versions before 4.14.91 and before 4.19.13 are vulnerable.

From the Ubuntu security team

Cfir Cohen discovered that a use-after-free vulnerability existed in the KVM implementation of the Linux kernel, when handling interrupts in environments where nested virtualization is in use (nested KVM virtualization is not enabled by default in Ubuntu kernels). A local attacker in a guest VM could possibly use this to gain administrative privileges in a host machine.

Notes

AuthorNote
tyhicks
Ubuntu kernels do not enable nested KVM virtualization by default and
are unaffected by this flaw in the default configuration. To ensure that
nested virtualization is not enabled, verify that the
/sys/module/kvm_intel/parameters/nested file contains "N".
Priority

Medium

CVSS 3 base score: 8.8

Status

Package Release Status
linux
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-44.47)
cosmic
Released (4.18.0-14.15)
precise Not vulnerable
(3.0.0-12.20)
trusty Not vulnerable
(3.11.0-12.19)
upstream
Released (4.20)
xenial Not vulnerable
(4.2.0-16.19)
Patches:
Introduced by

5e2f30b756a37bd80c5b0471d0e10d769ab2eb9a

Fixed by c2dd5146e9fe1f22c77c1b011adf84eea0245806
linux-aws
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1032.34)
cosmic
Released (4.18.0-1008.10)
precise Does not exist

trusty Not vulnerable
(4.4.0-1002.2)
upstream
Released (4.20)
xenial Not vulnerable
(4.4.0-1001.10)
linux-aws-hwe
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (4.20)
xenial
Released (4.15.0-1032.34~16.04.1)
linux-azure
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1037.39)
cosmic
Released (4.18.0-1008.8)
precise Does not exist

trusty
Released (4.15.0-1037.39~14.04.2)
upstream
Released (4.20)
xenial
Released (4.15.0-1037.39~16.04.1)
linux-azure-edge
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1037.39)
cosmic Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (4.20)
xenial
Released (4.15.0-1037.39~16.04.1)
linux-euclid
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (4.20)
xenial Not vulnerable
(4.4.0-9019.20)
linux-flo
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

precise Does not exist

trusty Does not exist
(trusty was ignored [abandoned])
upstream
Released (4.20)
xenial Ignored
(abandoned)
linux-gcp
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1027.28)
cosmic
Released (4.18.0-1006.7)
precise Does not exist

trusty Does not exist

upstream
Released (4.20)
xenial
Released (4.15.0-1027.28~16.04.1)
linux-gcp-edge
Launchpad, Ubuntu, Debian
bionic
Released (4.18.0-1006.7~18.04.1)
cosmic Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (4.20)
xenial Does not exist

linux-gke
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (4.20)
xenial Ignored
(end-of-life)
linux-goldfish
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

precise Does not exist

trusty Does not exist
(trusty was ignored [abandoned])
upstream
Released (4.20)
xenial Ignored
(end-of-life)
linux-grouper
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

precise Does not exist

trusty Does not exist
(trusty was ignored [abandoned])
upstream
Released (4.20)
xenial Does not exist

linux-hwe
Launchpad, Ubuntu, Debian
bionic
Released (4.18.0-14.15~18.04.1)
cosmic Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (4.20)
xenial
Released (4.15.0-45.48~16.04.1)
linux-hwe-edge
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(5.0.0-8.9~18.04.1)
cosmic Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (4.20)
xenial
Released (4.15.0-45.48~16.04.1)
linux-kvm
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1029.29)
cosmic
Released (4.18.0-1007.7)
precise Does not exist

trusty Does not exist

upstream
Released (4.20)
xenial Not vulnerable
(4.4.0-1004.9)
linux-lts-trusty
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

precise Not vulnerable
(3.13.0-24.46~precise1)
trusty Does not exist

upstream
Released (4.20)
xenial Does not exist

linux-lts-utopic
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

precise Does not exist

trusty Does not exist
(trusty was ignored [out of standard support])
upstream
Released (4.20)
xenial Does not exist

linux-lts-vivid
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

precise Does not exist

trusty Does not exist
(trusty was ignored [out of standard support])
upstream
Released (4.20)
xenial Does not exist

linux-lts-wily
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

precise Does not exist

trusty Does not exist
(trusty was ignored [out of standard support])
upstream
Released (4.20)
xenial Does not exist

linux-lts-xenial
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

precise Does not exist

trusty Not vulnerable
(4.4.0-13.29~14.04.1)
upstream
Released (4.20)
xenial Does not exist

linux-maguro
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

precise Does not exist

trusty Does not exist
(trusty was ignored [abandoned])
upstream
Released (4.20)
xenial Does not exist

linux-mako
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

precise Does not exist

trusty Does not exist
(trusty was ignored [abandoned])
upstream
Released (4.20)
xenial Ignored
(abandoned)
linux-manta
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

precise Does not exist

trusty Does not exist
(trusty was ignored [abandoned])
upstream
Released (4.20)
xenial Does not exist

linux-oem
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1033.38)
cosmic
Released (4.15.0-1033.38)
precise Does not exist

trusty Does not exist

upstream
Released (4.20)
xenial Ignored
(was needs-triage now end-of-life)
linux-oracle
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1008.10)
cosmic Not vulnerable

precise Does not exist

trusty Does not exist

upstream
Released (4.20)
xenial
Released (4.15.0-1008.10~16.04.1)
linux-raspi2
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1031.33)
cosmic
Released (4.18.0-1009.11)
precise Does not exist

trusty Does not exist

upstream
Released (4.20)
xenial Not vulnerable
(4.2.0-1013.19)
linux-snapdragon
Launchpad, Ubuntu, Debian
bionic Not vulnerable

cosmic Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (4.20)
xenial Not vulnerable
(4.4.0-1012.12)