Bug 1645121 (CVE-2018-18281)

Summary: CVE-2018-18281 kernel: TLB flush happens too late on mremap
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dodevski, dvlasenk, ewk, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, mvanderw, nmurray, plougher, rt-maint, rvrbovsk, security-response-team, slawomir, steved, vdronov, williams, yjog, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:41:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1645122, 1645123, 1648486, 1649634, 1649635, 1649636, 1649637, 1772250, 1772251, 1772252, 1772253, 1788046    
Bug Blocks: 1645124    

Description Andrej Nemec 2018-11-01 12:54:51 UTC 
Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. 

References:

https://seclists.org/oss-sec/2018/q4/108

https://bugs.chromium.org/p/project-zero/issues/detail?id=1695

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eb66ae030829605d61fbef1909ce310e29f78821
Comment 2 Laura Pardo 2018-11-09 21:15:52 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1648486]
Comment 6 Davor 2019-03-15 18:33:44 UTC 
Is there a plan to fix this on RHEL 7 or a way to mitigate / workaround?

Thanks in advance.
Comment 8 Yogendra Jog 2019-04-04 15:41:05 UTC 
nullIn reply to comment #6:
> Is there a plan to fix this on RHEL 7 or a way to mitigate / workaround?
> 
> Thanks in advance.

Hi,

For RHEL 7 fixes, I will recommend you to open a case with Red Hat support if you have an active subscription.  Regarding the mitigation/workaround one of our security analyst shall update this bug if there is there is any mitigation or workaround.

Regards
YOG.
Comment 9 Vladis Dronov 2019-04-04 19:00:42 UTC 
(In reply to Davor from comment #6)
> Is there a plan to fix this on RHEL 7 or a way to mitigate / workaround?

Hello,
Yes, this flaw is going to be fixed in RHEL7. Unfortunately, there is no mitigation as the flaw is in the kernel's core memory management subsystem code. On the other hand we rate this flaw as Moderate severity, as for the moment of this writing there is no known exploit or reproducer or proof-of-concept for RHEL-7.
Comment 10 errata-xmlrpc 2019-04-23 14:30:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0831 https://access.redhat.com/errata/RHSA-2019:0831
Comment 11 errata-xmlrpc 2019-08-06 12:04:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2029
Comment 12 errata-xmlrpc 2019-08-06 12:06:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:2043
Comment 18 errata-xmlrpc 2020-01-07 12:26:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2020:0036 https://access.redhat.com/errata/RHSA-2020:0036
Comment 19 errata-xmlrpc 2020-01-14 08:04:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2020:0100 https://access.redhat.com/errata/RHSA-2020:0100
Comment 20 errata-xmlrpc 2020-01-14 15:53:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:0103 https://access.redhat.com/errata/RHSA-2020:0103
Comment 21 errata-xmlrpc 2020-01-21 17:01:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:0179 https://access.redhat.com/errata/RHSA-2020:0179