Bug 1589890 (CVE-2018-10853)

Summary: CVE-2018-10853 kernel: kvm: guest userspace to guest kernel write
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, aquini, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, ewk, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, lwang, matt, mchehab, mcressma, mjg59, mlangsdo, mvanderw, nmurray, plougher, ppandit, rt-maint, rvrbovsk, skozina, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 4.18 Doc Type: Bug Fix
Doc Text:
A flaw was found in the way Linux kernel KVM hypervisor emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current privilege(CPL) level while emulating unprivileged instructions. An unprivileged guest user/process could use this flaw to potentially escalate privileges inside guest.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:18:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1589892, 1589893, 1624638, 1657358, 1772227, 1772228, 1772229, 1772230, 1788044    
Bug Blocks: 1589767    

Description Laura Pardo 2018-06-11 15:25:59 UTC
A flaw was found in the way Linux kernel KVM hypervisor emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current privilege(CPL) level while emulating unprivileged instructions.

An unprivileged guest user/process could use this flaw to potentially escalate privileges inside guest.


Upstream patch:
---------------
  -> https://git.kernel.org/linus/3c9fa24ca7c9c47605672916491f79e8ccacb9e6

Issue introduced in: (kernel v4.10+)
--------------------
  -> https://git.kernel.org/linus/129a72a0d3c8e139a04512325384fe5ac119e74

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2018/09/02/1

Comment 1 Laura Pardo 2018-06-11 15:27:03 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1589892]

Comment 3 Prasad Pandit 2018-06-12 07:01:53 UTC
Acknowledgments:

Name: Andy Lutomirski, Mika Penttilä

Comment 7 errata-xmlrpc 2019-08-06 12:04:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2029

Comment 8 errata-xmlrpc 2019-08-06 12:06:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:2043

Comment 9 Product Security DevOps Team 2019-08-06 13:18:50 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-10853

Comment 19 errata-xmlrpc 2020-01-07 12:26:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2020:0036 https://access.redhat.com/errata/RHSA-2020:0036

Comment 21 errata-xmlrpc 2020-01-14 15:53:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:0103 https://access.redhat.com/errata/RHSA-2020:0103

Comment 22 errata-xmlrpc 2020-01-21 17:01:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:0179 https://access.redhat.com/errata/RHSA-2020:0179