Bug 1558149 (CVE-2018-1091)

Summary: CVE-2018-1091 kernel: guest kernel crash during core dump on POWER9 host
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: airlied, ajax, aquini, bhu, blc, bskeggs, dhoward, ewk, fhrbata, hannsj_uhl, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, rt-maint, rvrbovsk, security-response-team, skozina, steved, vdronov, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20170913,reported=20180213,source=redhat,cvss3=4.7/CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H,cwe=CWE-391,rhel-5/kernel=notaffected,rhel-6/kernel=notaffected,rhel-7/kernel=affected,rhel-7/kernel-rt=notaffected,mrg-2/realtime-kernel=notaffected,rhel-alt-7/kernel-alt=notaffected,rhel-8/kernel=notaffected,fedora-all/kernel=notaffected
Fixed In Version: kernel-3.10.0-862.1.1.el7 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel where a crash can be triggered from unprivileged userspace during core dump on a POWER system with a certain configuration. This is due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path leading to a denial of service.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:18:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1544676, 1563773    
Bug Blocks: 1558158    

Description Adam Mariš 2018-03-19 17:44:47 UTC
A kernel crash can be triggered from unprivileged userspace during core dump on a POWER system with a certain configuration due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path leading to a denial of service.

References:

https://marc.info/?l=linuxppc-embedded&m=150535531910494&w=2

http://seclists.org/oss-sec/2018/q1/282

An upstream fix:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c1fa0768a8713b135848f78fd43ffc208d8ded70

Comment 1 Adam Mariš 2018-03-19 17:48:36 UTC
*** Bug 1558150 has been marked as a duplicate of this bug. ***

Comment 2 Adam Mariš 2018-03-19 17:49:14 UTC
*** Bug 1558152 has been marked as a duplicate of this bug. ***

Comment 6 Vladis Dronov 2018-03-27 17:15:03 UTC
Notes:

A certain configuration of POWER system needed to hit the flaw can be:

- The case that kernel was compiled with CONFIG_PPC_TRANSACTIONAL_MEM enabled and ran on a CPU without transactional memory (TM) feature available, thus rendering the execution of TM instructions that are treated by the CPU as illegal instructions. (see this quote in the upstream commit)

- In case of POWER host and KVM guest the core dump code unconditionally tries to use transactional memory (TM) instructions to flush TM state back to the thread structure. As qemu currently disables TM by default in guests, this causes an illegal instruction in the guest kernel and hence the crash.

Comment 9 errata-xmlrpc 2018-05-08 18:25:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1318 https://access.redhat.com/errata/RHSA-2018:1318