RHEL 7/8: kernel panic at vt_ioctl

Issue

• CVE-2020-36558
• Kernel panic with logs in RHEL 8:

[   43.716346] BUG: unable to handle kernel NULL pointer dereference at 0000000000000304
[   43.716350] PGD 10dd917067 P4D 10dd917067 PUD 10c6b83067 PMD 0 
[   43.716355] Oops: 0002 [#1] SMP NOPTI
[   43.716358] CPU: 106 PID: 12330 Comm: pty07 Kdump: loaded Not tainted 4.18.0-372.73.1.el8_6.x86_64 #1
[   43.716361] Hardware name: HPE ProLiant DL365 Gen10 Plus/ProLiant DL365 Gen10 Plus, BIOS A42 10/29/2021
[   43.716362] RIP: 0010:vt_ioctl+0x720/0x1020
[   43.716371] Code: ff 0f b7 44 24 0c 66 85 c0 74 09 48 8b 13 89 82 90 01 00 00 0f b7 44 24 0e 48 8b 13 66 85 c0 74 09 89 82 04 02 00 00 48 8b 13 <c7> 82 04 03 00 00 01 00 00 00 0f b7 54 24 08 0f b7 74 24 0a 48 8b
[   43.716373] RSP: 0018:ffff9ef60d63fd70 EFLAGS: 00010246
[   43.716375] RAX: 0000000000000000 RBX: ffffffffbb10e1f0 RCX: 0000000000000000
[   43.716377] RDX: 0000000000000000 RSI: 0000000000000286 RDI: 0000000000000286
[   43.716378] RBP: ffffffffbb10f0d8 R08: 0000000000002e47 R09: 0000000000002e47
[   43.716379] R10: 0000000000000000 R11: ffff8a913e4a9b84 R12: 0000000000631d08
[   43.716380] R13: ffff8a8198a4ac00 R14: ffff8a8198a4c400 R15: 0000000000000000
[   43.716381] FS:  00007fad03723740(0000) GS:ffff8a913e480000(0000) knlGS:0000000000000000
[   43.716383] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   43.716384] CR2: 0000000000000304 CR3: 00000010ea188006 CR4: 0000000000770ee0
[   43.716386] PKRU: 55555554
[   43.716387] Call Trace:
[   43.716391]  ? finish_fault+0x4f/0x70
[   43.716397]  tty_ioctl+0x106/0x920
[   43.716402]  ? proc_taint+0x17b/0x1b0
[   43.716408]  ? selinux_file_ioctl+0x183/0x220
[   43.716412]  do_vfs_ioctl+0xa4/0x690
[   43.716417]  ksys_ioctl+0x64/0xa0
[   43.716419]  __x64_sys_ioctl+0x16/0x20
[   43.716421]  do_syscall_64+0x5b/0x1b0
[   43.716427]  entry_SYSCALL_64_after_hwframe+0x61/0xc6
[   43.716432] RIP: 0033:0x7fad02d517cb
[   43.716435] Code: 73 01 c3 48 8b 0d bd 66 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8d 66 38 00 f7 d8 64 89 01 48
[   43.716437] RSP: 002b:00007ffd02c43f48 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   43.716439] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fad02d517cb
[   43.716440] RDX: 0000000000631d08 RSI: 000000000000560a RDI: 0000000000000003
[   43.716441] RBP: 0000000000000000 R08: 00007ffd02cfa1b0 R09: 000000000000e986
[   43.716441] R10: 000000000000e986 R11: 0000000000000246 R12: 0000000000000000
[   43.716442] R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffd02c44020
[   43.716445] Modules linked in: xt_CHECKSUM ipt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink bridge stp llc sunrpc vfat fat ipmi_ssif intel_rapl_msr intel_rapl_common edac_mce_amd amd_energy kvm_amd kvm irqbypass crct10dif_pclmul acpi_ipmi crc32_pclmul ses enclosure ghash_clmulni_intel ipmi_si sp5100_tco pcspkr rapl ipmi_devintf hpilo hpwdt ccp i2c_piix4 k10temp wmi ipmi_msghandler acpi_tad acpi_power_meter acpi_cpufreq xfs libcrc32c sd_mod t10_pi sg mgag200 drm_kms_helper qede syscopyarea sysfillrect sysimgblt fb_sys_fops crc32c_intel drm qed igb smartpqi scsi_transport_sas dca i2c_algo_bit crc8 dm_mirror dm_region_hash dm_log dm_mod fuse
[   43.716500] CR2: 0000000000000304

• Kernel panic with log in RHEL 7:

[   62.012459] BUG: unable to handle kernel NULL pointer dereference at 00000000000002bc
[   62.012463] IP: [<ffffffffac4933e7>] vt_ioctl+0xea7/0x12f0
[   62.012464] PGD 26caed067 PUD 26cae8067 PMD 0 
[   62.012464] Oops: 0002 [#1] SMP 
[   62.012471] Modules linked in: sunrpc kvm_amd kvm iTCO_wdt iTCO_vendor_support irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper joydev cryptd i2c_i801 sg pcspkr lpc_ich virtio_rng virtio_balloon ip_tables xfs libcrc32c sr_mod cdrom ahci virtio_net libahci net_failover virtio_console virtio_blk failover libata crct10dif_pclmul crct10dif_common crc32c_intel serio_raw virtio_pci virtio_ring virtio dm_mirror dm_region_hash dm_log dm_mod
[   62.012473] CPU: 1 PID: 1809 Comm: pty07 Kdump: loaded Not tainted 3.10.0-1160.108.1.el7.x86_64 #1
[   62.012473] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-4.el9 04/01/2014
[   62.012473] task: ffff9fb8eb5d6300 ti: ffff9fb8ee3e8000 task.ti: ffff9fb8ee3e8000
[   62.012474] RIP: 0010:[<ffffffffac4933e7>]  [<ffffffffac4933e7>] vt_ioctl+0xea7/0x12f0
[   62.012475] RSP: 0018:ffff9fb8ee3ebd70  EFLAGS: 00010246
[   62.012475] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[   62.012475] RDX: 0000000000000019 RSI: 0000000000000050 RDI: 0000000000000282
[   62.012475] RBP: ffff9fb8ee3ebde0 R08: ffff9fb8ee3e8000 R09: 0000000000000001
[   62.012475] R10: 0000000000000001 R11: 0000000000000400 R12: 0000000000000000
[   62.012475] R13: 0000000000000050 R14: 0000000000000019 R15: ffffffffad285d70
[   62.012477] FS:  00007f9622f7f740(0000) GS:ffff9fb7f5a40000(0000) knlGS:0000000000000000
[   62.012477] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   62.012477] CR2: 00000000000002bc CR3: 000000026e4bc000 CR4: 0000000000740ee0
[   62.012478] PKRU: 55555554
[   62.012478] Call Trace:
[   62.012482]  [<ffffffffac1fbc07>] ? arch_tlb_finish_mmu+0x47/0x80
[   62.012482]  [<ffffffffac1fbd33>] ? tlb_finish_mmu+0x23/0x40
[   62.012484]  [<ffffffffac485fa4>] tty_ioctl+0x284/0xc00
[   62.012485]  [<ffffffffac205ec1>] ? __vma_rb_erase+0x121/0x230
[   62.012487]  [<ffffffffac271988>] do_vfs_ioctl+0x3a8/0x5c0
[   62.012488]  [<ffffffffac0706ce>] ? kvm_clock_get_cycles+0x1e/0x30
[   62.012489]  [<ffffffffac271c21>] SyS_ioctl+0x81/0xa0
[   62.012491]  [<ffffffffac146966>] ? __audit_syscall_exit+0x1f6/0x2b0
[   62.012492]  [<ffffffffac7c539a>] system_call_fastpath+0x25/0x2a
[   62.012496] Code: 85 db 74 0c 49 8b 07 8b 4d 94 89 88 48 01 00 00 66 45 85 e4 74 0c 49 8b 07 8b 4d 98 89 88 bc 01 00 00 49 8b 07 44 89 f2 44 89 ee <c7> 80 bc 02 00 00 01 00 00 00 49 8b 3f e8 f7 a1 00 00 e8 72 eb 
[   62.012497] RIP  [<ffffffffac4933e7>] vt_ioctl+0xea7/0x12f0
[   62.012497]  RSP <ffff9fb8ee3ebd70>
[   62.012497] CR2: 00000000000002bc