CVE-2023-54241

Description

In the Linux kernel, the following vulnerability has been resolved:MIPS: KVM: Fix null pointer dereferenceAfter commit 45c7e8af4a5e3f0bea4ac209 (MIPS: Remove KVM_TE support) weget a null pointer dereference when creating a KVM guest:[ 146.243409] Starting KVM with MIPS VZ extensions[ 149.849151] CPU 3 Unable to handle kernel paging request at virtual address 0000000000000300, epc == ffffffffc06356ec, ra == ffffffffc063568c[ 149.849177] Oops[#1]:[ 149.849182] CPU: 3 PID: 2265 Comm: qemu-system-mip Not tainted 6.4.0-rc3+ #1671[ 149.849188] Hardware name: THTF CX TL630 Series/THTF-LS3A4000-7A1000-ML4A, BIOS KL4.1F.TF.D.166.201225.R 12/25/2020[ 149.849192] $ 0 : 0000000000000000 000000007400cce0 0000000000400004 ffffffff8119c740[ 149.849209] $ 4 : 000000007400cce1 000000007400cce1 0000000000000000 0000000000000000[ 149.849221] $ 8 : 000000240058bb36 ffffffff81421ac0 0000000000000000 0000000000400dc0[ 149.849233] $12 : 9800000102a07cc8 ffffffff80e40e38 0000000000000001 0000000000400dc0[ 149.849245] $16 : 0000000000000000 9800000106cd0000 9800000106cd0000 9800000100cce000[ 149.849257] $20 : ffffffffc0632b28 ffffffffc05b31b0 9800000100ccca00 0000000000400000[ 149.849269] $24 : 9800000106cd09ce ffffffff802f69d0[ 149.849281] $28 : 9800000102a04000 9800000102a07cd0 98000001106a8000 ffffffffc063568c[ 149.849293] Hi : 00000335b2111e66[ 149.849295] Lo : 6668d90061ae0ae9[ 149.849298] epc : ffffffffc06356ec kvm_vz_vcpu_setup+0xc4/0x328 [kvm][ 149.849324] ra : ffffffffc063568c kvm_vz_vcpu_setup+0x64/0x328 [kvm][ 149.849336] Status: 7400cce3 KX SX UX KERNEL EXL IE[ 149.849351] Cause : 1000000c (ExcCode 03)[ 149.849354] BadVA : 0000000000000300[ 149.849357] PrId : 0014c004 (ICT Loongson-3)[ 149.849360] Modules linked in: kvm nfnetlink_queue nfnetlink_log nfnetlink fuse sha256_generic libsha256 cfg80211 rfkill binfmt_misc vfat fat snd_hda_codec_hdmi input_leds led_class snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core snd_pcm snd_timer snd serio_raw xhci_pci radeon drm_suballoc_helper drm_display_helper xhci_hcd ip_tables x_tables[ 149.849432] Process qemu-system-mip (pid: 2265, threadinfo=00000000ae2982d2, task=0000000038e09ad4, tls=000000ffeba16030)[ 149.849439] Stack : 9800000000000003 9800000100ccca00 9800000100ccc000 ffffffffc062cef4[ 149.849453] 9800000102a07d18 c89b63a7ab338e00 0000000000000000 ffffffff811a0000[ 149.849465] 0000000000000000 9800000106cd0000 ffffffff80e59938 98000001106a8920[ 149.849476] ffffffff80e57f30 ffffffffc062854c ffffffff811a0000 9800000102bf4240[ 149.849488] ffffffffc05b0000 ffffffff80e3a798 000000ff78000000 000000ff78000010[ 149.849500] 0000000000000255 98000001021f7de0 98000001023f0078 ffffffff81434000[ 149.849511] 0000000000000000 0000000000000000 9800000102ae0000 980000025e92ae28[ 149.849523] 0000000000000000 c89b63a7ab338e00 0000000000000001 ffffffff8119dce0[ 149.849535] 000000ff78000010 ffffffff804f3d3c 9800000102a07eb0 0000000000000255[ 149.849546] 0000000000000000 ffffffff8049460c 000000ff78000010 0000000000000255[ 149.849558] ...[ 149.849565] Call Trace:[ 149.849567] [] kvm_vz_vcpu_setup+0xc4/0x328 [kvm][ 149.849586] [] kvm_arch_vcpu_create+0x184/0x228 [kvm][ 149.849605] [] kvm_vm_ioctl+0x64c/0xf28 [kvm][ 149.849623] [] sys_ioctl+0xc8/0x118[ 149.849631] [] syscall_common+0x34/0x58The root cause is the deletion of kvm_mips_commpage_init() leaves vcpu->arch.cop0 null. So fix it by making cop0 from a pointer to an embeddedobject.

Risk Information

Base Score

8.6

MODERATE

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:U/RC:C

EPSS Score

Exploitation Probability

0.026

Associated Vulnerability

No records found

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234