Bug 1566837 (CVE-2018-1087)

Summary: CVE-2018-1087 Kernel: KVM: error in exception handling leads to wrong debug stack value
Product: [Other] Security Response Reporter: Prasad Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: airlied, aquini, bgoncalv, bhu, blc, bmcclain, bskeggs, cao.xufeng, carnil, cperry, crrobins, dblechte, dfediuck, dhoward, dougsland, dvlasenk, eedri, ehamera, esammons, ewk, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jbastian, jforbes, jglisse, jkacur, jkastner, john.j5live, jonathan, josef, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, lsurette, lwang, matt, mchehab, mcressma, mgoldboi, mguzik, miabbott, michal.skrivanek, mjg59, mlangsdo, mpatalan, nmurray, pbonzini, plougher, pmatouse, pstehlik, rbarry, rcain, rt-maint, rvrbovsk, sbonazzo, security-response-team, sherold, skozina, slawomir, srevivo, steved, williams, ycui, yjog, ykaul, ykopkova, ylavi, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 4.16, kernel 4.16-rc7, kernel 4.17-rc1, kernel 4.17-rc2, kernel 4.17-rc3 Doc Type: Bug Fix
Doc Text:
A flaw was found in the way the Linux kernel's KVM hypervisor handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged KVM guest user could use this flaw to crash the guest or, potentially, escalate their privileges in the guest.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-28 13:53:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1566842, 1566843, 1566844, 1566845, 1566846, 1566847, 1566848, 1566849, 1566850, 1566851, 1567907, 1576070, 1577045, 1577046, 1577047    
Bug Blocks: 1558424    

Description Prasad Pandit 2018-04-13 05:54:03 UTC 
A flaw was found in the way the Linux kernel's KVM hypervisor handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, processor does not deliver interrupts and exceptions, they are delivered once the first instruction after the stack switch is executed.

An unprivileged KVM guest user could use this flaw to crash the guest and/or potentially escalate their privileges in the guest.

Upstream patch:
---------------
  -> https://git.kernel.org/linus/32d43cd391bacb5f0814c2624399a5dad3501d09

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2018/05/08/5
Comment 8 Prasad Pandit 2018-05-02 12:10:51 UTC 
Acknowledgments:

Name: Andy Lutomirski
Comment 9 Justin M. Forbes 2018-05-08 17:20:38 UTC 
This issue was fixed for Fedora with the 4.16 rebases.
Comment 11 Eric Christensen 2018-05-08 17:37:42 UTC 
Statement:

This issue does not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG 2.

This issue affects the version of the kernel package as shipped with Red Hat Enterprise Linux 7. Future kernel updates for Red Hat Enterprise Linux 7 may address this issue.
Comment 12 errata-xmlrpc 2018-05-08 18:25:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1318 https://access.redhat.com/errata/RHSA-2018:1318
Comment 13 Fabio Olive Leite 2018-05-08 19:26:48 UTC 
External References:

https://access.redhat.com/security/vulnerabilities/pop_ss
Comment 14 errata-xmlrpc 2018-05-08 19:48:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2018:1345 https://access.redhat.com/errata/RHSA-2018:1345
Comment 15 errata-xmlrpc 2018-05-08 21:37:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support
  Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.2 Telco Extended Update Support

Via RHSA-2018:1347 https://access.redhat.com/errata/RHSA-2018:1347
Comment 16 errata-xmlrpc 2018-05-08 21:53:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Extended Update Support

Via RHSA-2018:1348 https://access.redhat.com/errata/RHSA-2018:1348
Comment 17 errata-xmlrpc 2018-05-08 22:24:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1355 https://access.redhat.com/errata/RHSA-2018:1355
Comment 19 errata-xmlrpc 2018-05-15 17:39:19 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for RHEL-7

Via RHSA-2018:1524 https://access.redhat.com/errata/RHSA-2018:1524