Bug 1558149 (CVE-2018-1091)
Summary: | CVE-2018-1091 kernel: guest kernel crash during core dump on POWER9 host | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | airlied, ajax, aquini, bhu, blc, bskeggs, dhoward, ewk, fhrbata, hannsj_uhl, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, rt-maint, rvrbovsk, security-response-team, skozina, steved, vdronov, williams |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | kernel-3.10.0-862.1.1.el7 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in the Linux kernel where a crash can be triggered from unprivileged userspace during core dump on a POWER system with a certain configuration. This is due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path leading to a denial of service.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:18:03 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1544676, 1563773 | ||
Bug Blocks: | 1558158 |
Description
Adam Mariš
2018-03-19 17:44:47 UTC
*** Bug 1558150 has been marked as a duplicate of this bug. *** *** Bug 1558152 has been marked as a duplicate of this bug. *** Notes: A certain configuration of POWER system needed to hit the flaw can be: - The case that kernel was compiled with CONFIG_PPC_TRANSACTIONAL_MEM enabled and ran on a CPU without transactional memory (TM) feature available, thus rendering the execution of TM instructions that are treated by the CPU as illegal instructions. (see this quote in the upstream commit) - In case of POWER host and KVM guest the core dump code unconditionally tries to use transactional memory (TM) instructions to flush TM state back to the thread structure. As qemu currently disables TM by default in guests, this causes an illegal instruction in the guest kernel and hence the crash. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:1318 https://access.redhat.com/errata/RHSA-2018:1318 |