Bug 1601849 (CVE-2018-10901)

Summary: CVE-2018-10901 kernel: kvm: vmx: host GDT limit corruption
Product: [Other] Security Response Reporter: Vladis Dronov <vdronov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: airlied, aquini, bhu, blc, bskeggs, dhoward, esammons, ewk, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, lpardo, lwang, matt, mchehab, mcressma, mguzik, mjg59, mlangsdo, nmurray, plougher, ppandit, rt-maint, rvrbovsk, security-response-team, skozina, steved, vdronov, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: linux-kernel 2.6.36-rc1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Linux kernel's KVM virtualization subsystem. The VMX code does not restore the GDT.LIMIT to the previous host value, but instead sets it to 64KB. With a corrupted GDT limit a host's userspace code has an ability to place malicious entries in the GDT, particularly to the per-cpu variables. An attacker can use this to escalate their privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-08-24 12:14:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1601851, 1603328, 1603330, 1603331, 1603332    
Bug Blocks: 1596383    

Description Vladis Dronov 2018-07-17 10:41:22 UTC 
A flaw was found in Linux kernel in the KVM virtualization subsystem. The VMX code does not restore the GDT.LIMIT to the previous host value, but instead sets it to 64KB. With a corrupted GDT limit a host's userspace code has an ability to place malicious entries in the GDT, particularly to the per-cpu variables. This can lead to a privilege escalation.

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3444d7da1839b851eefedd372978d8a982316c36
Comment 10 Vladis Dronov 2018-07-26 13:02:30 UTC 
Notes:

Only Red Hat Enterprise Linux 6 is vulnerable to a possible privilege escalation due to this flaw. Other Red Hat products are not vulnerable to this flaw.
Comment 11 Prasad Pandit 2018-08-13 12:25:25 UTC 
Acknowledgments:

Name: Vegard Nossum (Oracle Corporation)
Comment 12 errata-xmlrpc 2018-08-14 18:26:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2390 https://access.redhat.com/errata/RHSA-2018:2390
Comment 13 errata-xmlrpc 2018-08-14 20:17:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Telco Extended Update Support

Via RHSA-2018:2392 https://access.redhat.com/errata/RHSA-2018:2392
Comment 14 errata-xmlrpc 2018-08-14 20:19:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2018:2394 https://access.redhat.com/errata/RHSA-2018:2394
Comment 15 errata-xmlrpc 2018-08-14 20:20:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2018:2393 https://access.redhat.com/errata/RHSA-2018:2393
Comment 16 errata-xmlrpc 2018-08-14 20:31:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2018:2391 https://access.redhat.com/errata/RHSA-2018:2391