Linux Kernel KVM VMX Initialization Vulnerability Leading to NULL Pointer Dereference

A vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) component for VMX (Intel Virtual Machine Extensions) has been identified. The issue arises because the initialization process does not complete before exposing /dev/kvm to userspace. This premature exposure allows userspace to create virtual machines and invoke other ioctls before the necessary configurations are in place. As a result, KVM may encounter a NULL pointer dereference when adding a vCPU to the per-CPU loaded_vmcss_on_cpu list, leading to a kernel panic. The vulnerability has been observed in Linux kernel version 6.0.0-rc7.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, leading to a crash of the affected system.

Reproduction

The vulnerability can be reproduced by creating a virtual machine in userspace before the KVM VMX initialization process has completed. This can be done by invoking the appropriate ioctls to create a VM and add a vCPU, which will trigger the NULL pointer dereference when the VMCS (Virtual Machine Control Structure) loading process encounters the uninitialized list.