CVE-2022-48765 in Linuxinfo

Summary

by MITRE • 06/20/2024

In the Linux kernel, the following vulnerability has been resolved:

KVM: LAPIC: Also cancel preemption timer during SET_LAPIC

The below warning is splatting during guest reboot.

------------[ cut here ]------------
WARNING: CPU: 0 PID: 1931 at arch/x86/kvm/x86.c:10322 kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]
CPU: 0 PID: 1931 Comm: qemu-system-x86 Tainted: G I 5.17.0-rc1+ #5 RIP: 0010:kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]
Call Trace: kvm_vcpu_ioctl+0x279/0x710 [kvm]
__x64_sys_ioctl+0x83/0xb0 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fd39797350b

This can be triggered by not exposing tsc-deadline mode and doing a reboot in the guest. The lapic_shutdown() function which is called in sys_reboot path will not disarm the flying timer, it just masks LVTT. lapic_shutdown() clears APIC state w/ LVT_MASKED and timer-mode bit is 0, this can trigger timer-mode switch between tsc-deadline and oneshot/periodic, which can result in preemption timer be cancelled in apic_update_lvtt(). However, We can't depend on this when not exposing tsc-deadline mode and oneshot/periodic modes emulated by preemption timer. Qemu will synchronise states around reset, let's cancel preemption timer under KVM_SET_LAPIC.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 09/29/2025

This vulnerability exists within the Linux kernel's KVM virtualization subsystem, specifically affecting the Local Advanced Programmable Interrupt Controller implementation. The issue manifests when handling guest virtual machine reboots and involves improper timer state management during LAPIC (Local APIC) configuration updates. The vulnerability is classified as a race condition or state management flaw that occurs during the transition between different timer modes within the virtualized environment.

The technical flaw stems from the LAPIC shutdown function not properly canceling preemption timers during the SET_LAPIC operation when tsc-deadline mode is not exposed to the guest operating system. When a guest system reboots, the kernel attempts to clear the APIC state by masking the Local Vector Table Timer (LVTT) register, but this approach fails to properly disarm any active preemption timers that may be in flight. This creates a scenario where timer mode switching between tsc-deadline and oneshot/periodic modes can occur without proper cleanup, leading to dangling timer references that cause kernel warnings and potential system instability.

The operational impact of this vulnerability is significant for virtualized environments running Linux kernel versions that include the affected code path. During guest reboot operations, the system generates kernel warning messages indicating that CPU 0 has encountered an issue in the kvm_arch_vcpu_ioctl_run function, specifically at line 10322. This occurs because the preemption timer cancellation mechanism fails to properly handle the state transition when tsc-deadline mode is not available. The vulnerability is particularly problematic in environments where QEMU manages virtual machine states and where the kernel must synchronize between different timer modes during reset operations.

The root cause of this issue lies in the improper synchronization between the virtual LAPIC state management and the preemption timer subsystem within KVM. When not exposing tsc-deadline mode to the guest, the system relies on emulated oneshot/periodic timer modes that are managed through preemption timers. However, during the SET_LAPIC operation, the system fails to explicitly cancel these preemption timers before transitioning to the shutdown state, creating a scenario where timers can continue to fire or remain in an inconsistent state. This vulnerability is particularly relevant to the ATT&CK framework's privilege escalation and execution categories, as it can potentially be exploited to cause system instability or denial of service conditions in virtualized environments. The issue demonstrates a failure in proper resource cleanup during state transitions, which aligns with CWE-459, which describes incomplete cleanup of resources.

Mitigation strategies for this vulnerability involve ensuring that preemption timers are properly canceled during LAPIC state transitions, particularly when not exposing tsc-deadline mode to guests. The fix requires modifications to the KVM subsystem to explicitly cancel preemption timers during SET_LAPIC operations when transitioning to shutdown states. System administrators should ensure their Linux kernel versions include the patched code that addresses this specific timer state management issue. Organizations running virtualized environments should prioritize updating their kernel versions to include the fix, as this vulnerability can lead to system instability during normal guest reboot operations and may potentially be exploited to cause denial of service conditions in virtualized environments where multiple VMs share the same physical host resources. The fix essentially ensures that timer cleanup occurs reliably regardless of the timer mode being used, preventing the dangling timer references that cause the kernel warning messages and potential system instability.

Disclosure

06/20/2024

Moderation

accepted

CPE

ready

EPSS

0.00210

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!