Bug 1646781 (CVE-2018-12126)

Summary:	CVE-2018-12126 hardware: Microarchitectural Store Buffer Data Sampling (MSBDS)
Product:	[Other] Security Response	Reporter:	Wade Mealing <wmealing>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	acaringi, agedosier, ahardin, airlied, amit, areis, berrange, bhu, bleanhar, bmcclain, brdeoliv, bskeggs, ccoleman, cfergeau, clalancette, danken, dbecker, dblechte, dedgar, dfediuck, dhoward, dvlasenk, dwmw2, eblake, eedri, ehabkost, emcnabb, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jbastian, jcm, jdenemar, jen, jeremy, jferlan, jforbes, jglisse, jgoulding, jjoyce, jkacur, jlelli, jmario, jobaker, john.j5live, jonathan, josef, jpoimboe, jross, jschluet, jstancek, jsuchane, jwboyer, kbasil, kernel-maint, kernel-mgr, knoel, labbott, laine, lgoncalv, lhh, libvirt-maint, lilu, linville, longman, lpeer, lsurette, matt, mburns, mchappel, mchehab, mcressma, mgoldboi, michal.skrivanek, mjenner, mjg59, mkenneth, mrezanin, mst, nmurray, osoukup, pbonzini, pkrempa, plougher, pmatouse, pmyers, rbalakri, ribarry, richard.poettler, rjones, rt-maint, rvrbovsk, sbonazzo, sclewis, security-response-team, sherold, slinaber, srevivo, steved, tburke, tgolembi, veillard, virt-maint, virt-maint, williams, wmealing, wrd, ycui, yjog, ykopkova, yturgema
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:	Modern Intel microprocessors implement hardware-level micro-optimizations to improve the performance of writing data back to CPU caches. The write operation is split into STA (STore Address) and STD (STore Data) sub-operations. These sub-operations allow the processor to hand-off address generation logic into these sub-operations for optimized writes. Both of these sub-operations write to a shared distributed processor structure called the 'processor store buffer'. As a result, an unprivileged attacker could use this flaw to read private data resident within the CPU's processor store buffer.	Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-05-22 15:08:48 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1690335, 1690337, 1690338, 1690339, 1690340, 1690341, 1692386, 1692597, 1693216, 1693217, 1693219, 1693220, 1693221, 1693222, 1693243, 1697550, 1697551, 1698769, 1698770, 1698771, 1698772, 1698773, 1698774, 1698775, 1698776, 1698777, 1698778, 1698779, 1698780, 1698781, 1698782, 1698783, 1698784, 1698785, 1698786, 1698787, 1698788, 1698789, 1698790, 1698791, 1698792, 1698793, 1698794, 1698795, 1698796, 1698797, 1698798, 1698799, 1698800, 1698809, 1698810, 1703295, 1703296, 1703297, 1703298, 1703299, 1703300, 1704533, 1704534, 1704535, 1704536, 1704545, 1704546, 1704548, 1704549, 1704550, 1704551, 1704611, 1704612, 1704613, 1704614, 1704615, 1704616, 1704617, 1704985, 1707262, 1709976, 1709977, 1710002, 1710830, 1716254, 1716262
Bug Blocks:	1646797, 1705393, 1705394, 1705395, 1705397, 1705398, 1705399

Description Wade Mealing 2018-11-06 02:09:52 UTC

A flaw was found in many Intel microprocessor designs related to possible information leak of the processor store buffer structure which contains recent stores (writes) to memory..

Modern Intel microprocessors implement hardware-level micro-optimizations to improve the performance of writing data back to CPU caches. The write operation is split into STA (STore Address) and STD (STore Data) sub-operations. These sub-operations allow the processor to hand-off address generation logic into these sub-operations for optimized writes. Both of these sub-operations write to a shared distributed processor structure called the 'processor store buffer'.

The processor store buffer is conceptually a table of address, value, and 'is valid' entries. As the sub-operations can execute independently of each other, they can each update the address, and/or value columns of the table independently. This means that at different points in time the address or value may be invalid.

The processor may speculatively forward entries from the store buffer. The split design used allows for such forwarding to speculatively use stale values, such as the wrong address, returning data from a previous unrelated store. Since this only occurs for loads that will be reissued following the fault/assist resolution, the program is not architecturally impacted, but store buffer state can be leaked to malicious code carefully crafted to retrieve this data via side-channel analysis.

The processor store buffer entries are equally divided between the number of active Hyper-Threads. Conditions such as power-state change can reallocate the processor store buffer entries in a half-updated state to another thread without ensuring that the entries have been cleared.

Additional information:
https://access.redhat.com/security/vulnerabilities/mds

Upstream fixes:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fa4bff165070dc40a3de35b78e4f8da8e8d85ec5

Intel Advisory:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html

Comment 23 Wade Mealing 2019-05-14 17:11:56 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1709976]


Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1709977]

Comment 24 Wade Mealing 2019-05-14 17:36:06 UTC

External References:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html
https://access.redhat.com/security/vulnerabilities/mds

Comment 25 errata-xmlrpc 2019-05-14 18:13:28 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1175 https://access.redhat.com/errata/RHSA-2019:1175

Comment 26 errata-xmlrpc 2019-05-14 18:13:47 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1167 https://access.redhat.com/errata/RHSA-2019:1167

Comment 27 errata-xmlrpc 2019-05-14 18:14:00 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1174 https://access.redhat.com/errata/RHSA-2019:1174

Comment 28 errata-xmlrpc 2019-05-14 18:30:34 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:1169 https://access.redhat.com/errata/RHSA-2019:1169

Comment 29 errata-xmlrpc 2019-05-14 18:31:01 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:1180 https://access.redhat.com/errata/RHSA-2019:1180

Comment 30 errata-xmlrpc 2019-05-14 18:31:43 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:1181 https://access.redhat.com/errata/RHSA-2019:1181

Comment 31 errata-xmlrpc 2019-05-14 19:07:04 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1177 https://access.redhat.com/errata/RHSA-2019:1177

Comment 32 errata-xmlrpc 2019-05-14 19:07:18 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1178 https://access.redhat.com/errata/RHSA-2019:1178

Comment 33 errata-xmlrpc 2019-05-14 19:07:29 UTC

This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:1179 https://access.redhat.com/errata/RHSA-2019:1179

Comment 34 errata-xmlrpc 2019-05-14 19:07:43 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1168 https://access.redhat.com/errata/RHSA-2019:1168

Comment 35 errata-xmlrpc 2019-05-14 19:07:59 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1176 https://access.redhat.com/errata/RHSA-2019:1176

Comment 36 errata-xmlrpc 2019-05-14 19:08:32 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:1170 https://access.redhat.com/errata/RHSA-2019:1170

Comment 37 errata-xmlrpc 2019-05-14 19:08:48 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:1184 https://access.redhat.com/errata/RHSA-2019:1184

Comment 38 errata-xmlrpc 2019-05-14 19:08:59 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:1185 https://access.redhat.com/errata/RHSA-2019:1185

Comment 39 errata-xmlrpc 2019-05-14 19:10:16 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:1182 https://access.redhat.com/errata/RHSA-2019:1182

Comment 40 errata-xmlrpc 2019-05-14 19:10:47 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:1155 https://access.redhat.com/errata/RHSA-2019:1155

Comment 41 errata-xmlrpc 2019-05-14 19:11:02 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:1183 https://access.redhat.com/errata/RHSA-2019:1183

Comment 42 errata-xmlrpc 2019-05-14 19:52:00 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support

Via RHSA-2019:1193 https://access.redhat.com/errata/RHSA-2019:1193

Comment 43 errata-xmlrpc 2019-05-14 19:52:23 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2019:1196 https://access.redhat.com/errata/RHSA-2019:1196

Comment 44 errata-xmlrpc 2019-05-14 19:52:45 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support

Via RHSA-2019:1195 https://access.redhat.com/errata/RHSA-2019:1195

Comment 45 errata-xmlrpc 2019-05-14 19:52:56 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2019:1198 https://access.redhat.com/errata/RHSA-2019:1198

Comment 46 errata-xmlrpc 2019-05-14 20:18:52 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support
  Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.2 Telco Extended Update Support

Via RHSA-2019:1172 https://access.redhat.com/errata/RHSA-2019:1172

Comment 47 errata-xmlrpc 2019-05-14 20:26:57 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2019:1190 https://access.redhat.com/errata/RHSA-2019:1190

Comment 48 errata-xmlrpc 2019-05-14 20:29:56 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support

Via RHSA-2019:1194 https://access.redhat.com/errata/RHSA-2019:1194

Comment 49 errata-xmlrpc 2019-05-14 20:44:13 UTC

This issue has been addressed in the following products:

  Red Hat OpenStack Platform 9.0 (Mitaka)

Via RHSA-2019:1199 https://access.redhat.com/errata/RHSA-2019:1199

Comment 50 errata-xmlrpc 2019-05-14 20:44:38 UTC

This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:1200 https://access.redhat.com/errata/RHSA-2019:1200

Comment 51 errata-xmlrpc 2019-05-14 20:45:06 UTC

This issue has been addressed in the following products:

  Red Hat OpenStack Platform 14.0 (Rocky)

Via RHSA-2019:1202 https://access.redhat.com/errata/RHSA-2019:1202

Comment 52 errata-xmlrpc 2019-05-14 20:45:28 UTC

This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2019:1201 https://access.redhat.com/errata/RHSA-2019:1201

Comment 53 errata-xmlrpc 2019-05-14 20:45:49 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2019:1171 https://access.redhat.com/errata/RHSA-2019:1171

Comment 54 errata-xmlrpc 2019-05-14 20:46:01 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2019:1197 https://access.redhat.com/errata/RHSA-2019:1197

Comment 55 errata-xmlrpc 2019-05-14 20:46:18 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Telco Extended Update Support
  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions

Via RHSA-2019:1187 https://access.redhat.com/errata/RHSA-2019:1187

Comment 56 errata-xmlrpc 2019-05-14 20:46:41 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Telco Extended Update Support
  Red Hat Enterprise Linux 7.2 Advanced Update Support
  Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions

Via RHSA-2019:1186 https://access.redhat.com/errata/RHSA-2019:1186

Comment 57 errata-xmlrpc 2019-05-14 20:46:42 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2019:1189 https://access.redhat.com/errata/RHSA-2019:1189

Comment 58 errata-xmlrpc 2019-05-14 20:46:59 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support
  Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.2 Telco Extended Update Support

Via RHSA-2019:1188 https://access.redhat.com/errata/RHSA-2019:1188

Comment 59 errata-xmlrpc 2019-05-14 20:47:12 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2019:1189 https://access.redhat.com/errata/RHSA-2019:1189

Comment 60 errata-xmlrpc 2019-05-14 21:09:54 UTC

This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:1203 https://access.redhat.com/errata/RHSA-2019:1203

Comment 61 errata-xmlrpc 2019-05-14 21:10:13 UTC

This issue has been addressed in the following products:

  Red Hat Virtualization 4.2 for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1204 https://access.redhat.com/errata/RHSA-2019:1204

Comment 62 errata-xmlrpc 2019-05-14 21:10:31 UTC

This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.3

Via RHSA-2019:1205 https://access.redhat.com/errata/RHSA-2019:1205

Comment 63 errata-xmlrpc 2019-05-14 21:10:53 UTC

This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.2

Via RHSA-2019:1206 https://access.redhat.com/errata/RHSA-2019:1206

Comment 64 errata-xmlrpc 2019-05-14 21:11:04 UTC

This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:1207 https://access.redhat.com/errata/RHSA-2019:1207

Comment 65 errata-xmlrpc 2019-05-14 21:11:15 UTC

This issue has been addressed in the following products:

  Red Hat Virtualization 4.2 for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1209 https://access.redhat.com/errata/RHSA-2019:1209

Comment 66 errata-xmlrpc 2019-05-14 21:11:36 UTC

This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:1208 https://access.redhat.com/errata/RHSA-2019:1208

Comment 71 errata-xmlrpc 2019-06-11 13:35:42 UTC

This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.0.0.Z

Via RHSA-2019:1455 https://access.redhat.com/errata/RHSA-2019:1455

Comment 74 errata-xmlrpc 2019-08-22 09:18:27 UTC

This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
  Red Hat Virtualization Engine 4.3

Via RHSA-2019:2553 https://access.redhat.com/errata/RHSA-2019:2553

Comment 75 msiddiqu 2019-10-09 07:42:37 UTC

Statement:

Red Hat Product Security is aware of this issue. Updates will be released as they become available. For additional information, please refer to the 'Vulnerability Response' URL.

Comment 77 Sam Fowler 2020-05-18 06:32:38 UTC

OpenShift Container Platform 4 does not ship its own kernel package, instead using versions shipped in RHEL. Removing from flaw bug affects.