Bug 1667782 (CVE-2018-12127)

Summary: CVE-2018-12127 hardware: Micro-architectural Load Port Data Sampling - Information Leak (MLPDS)
Product: [Other] Security Response Reporter: Wade Mealing <wmealing>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, agedosier, ahardin, airlied, amit, areis, berrange, bhu, blc, bleanhar, bmcclain, brdeoliv, bskeggs, ccoleman, cfergeau, clalancette, danken, dbecker, dblechte, dedgar, dfediuck, dhoward, dvlasenk, dwmw2, eblake, eedri, ehabkost, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jcm, jdenemar, jen, jeremy, jferlan, jforbes, jglisse, jgoulding, jjoyce, jkacur, jlelli, jmario, john.j5live, jonathan, josef, jross, jschluet, jstancek, jsuchane, jwboyer, kbasil, kernel-maint, kernel-mgr, knoel, labbott, laine, lgoncalv, lhh, libvirt-maint, linville, lpeer, lsurette, matt, mburns, mchappel, mchehab, mcressma, mgoldboi, michal.skrivanek, mjg59, mkenneth, mlangsdo, mrezanin, mst, nmurray, osoukup, pbonzini, pkrempa, plougher, pmatouse, pmyers, rbalakri, ribarry, rjones, rt-maint, rvrbovsk, sbonazzo, sclewis, security-response-team, sherold, slinaber, srevivo, steved, tburke, tgolembi, veillard, virt-maint, virt-maint, williams, ycui, yjog, ykopkova, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Microprocessors use a ‘load port’ subcomponent to perform load operations from memory or IO. During a load operation, the load port receives data from the memory or IO subsystem and then provides the data to the CPU registers and operations in the CPU’s pipelines. Stale load operations results are stored in the 'load port' table until overwritten by newer operations. Certain load-port operations triggered by an attacker can be used to reveal data about previous stale requests leaking data back to the attacker via a timing side-channel.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-22 15:10:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1690358, 1690359, 1690360, 1690361, 1690362, 1692388, 1692599, 1693234, 1693235, 1693236, 1693237, 1693238, 1693239, 1693240, 1693241, 1698887, 1698889, 1698890, 1698891, 1698892, 1698894, 1698895, 1698896, 1698897, 1698898, 1698899, 1698900, 1698901, 1698902, 1698903, 1698904, 1698905, 1698906, 1698907, 1698908, 1698909, 1698910, 1698911, 1698912, 1698913, 1698914, 1698915, 1698916, 1698917, 1698925, 1698926, 1703308, 1703309, 1703310, 1703311, 1703312, 1703313, 1704537, 1704538, 1704539, 1704540, 1704552, 1704553, 1704554, 1704555, 1704565, 1704566, 1704618, 1704619, 1704620, 1704621, 1704622, 1704623, 1704624, 1704986, 1705791, 1707267, 1709978, 1709979, 1710004, 1711105, 1716256, 1716261    
Bug Blocks: 1646797, 1705393, 1705394, 1705395, 1705397, 1705398, 1705399    

Description Wade Mealing 2019-01-21 04:29:27 UTC
Microprocessors use ‘load ports’ to perform load operations from memory or IO. During a load operation, the load port receives data from the memory or IO subsystem and then provides the data to the CPU registers and operations in the CPU’s pipelines.

In some implementations, the writeback data bus within each load port can retain data values from older load operations until newer load operations overwrite that data 

MLPDS can reveal stale load port data to malicious actors when:

- A faulting/assisting SSE/AVX/AVX-512 loads that are more than 64 bits in size 
- A faulting/assisting load which spans a 64-byte boundary.

In the above cases, the load operation speculatively provides stale data values from the internal data structures to dependent operations. Speculatively forwarding this data does not end up modifying program execution, but this can be used as a widget to speculatively infer the contents of a victim processes data value through timing access to the load port.



Additional information:
https://access.redhat.com/security/vulnerabilities/mds

Upstream fixes:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fa4bff165070dc40a3de35b78e4f8da8e8d85ec5


Intel Advisory:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html

Comment 1 Wade Mealing 2019-01-24 04:31:21 UTC
*** Bug 1646775 has been marked as a duplicate of this bug. ***

Comment 2 Wade Mealing 2019-01-24 04:31:49 UTC
*** Bug 1646778 has been marked as a duplicate of this bug. ***

Comment 20 Wade Mealing 2019-05-14 17:12:41 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1709978]


Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1709979]

Comment 22 Petr Matousek 2019-05-14 17:44:46 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1710004]

Comment 23 errata-xmlrpc 2019-05-14 18:13:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1175 https://access.redhat.com/errata/RHSA-2019:1175

Comment 24 errata-xmlrpc 2019-05-14 18:13:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1167 https://access.redhat.com/errata/RHSA-2019:1167

Comment 25 errata-xmlrpc 2019-05-14 18:14:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1174 https://access.redhat.com/errata/RHSA-2019:1174

Comment 26 errata-xmlrpc 2019-05-14 18:30:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:1169 https://access.redhat.com/errata/RHSA-2019:1169

Comment 27 errata-xmlrpc 2019-05-14 18:31:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:1180 https://access.redhat.com/errata/RHSA-2019:1180

Comment 28 errata-xmlrpc 2019-05-14 18:31:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:1181 https://access.redhat.com/errata/RHSA-2019:1181

Comment 29 errata-xmlrpc 2019-05-14 19:07:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1177 https://access.redhat.com/errata/RHSA-2019:1177

Comment 30 errata-xmlrpc 2019-05-14 19:07:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1178 https://access.redhat.com/errata/RHSA-2019:1178

Comment 31 errata-xmlrpc 2019-05-14 19:07:38 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:1179 https://access.redhat.com/errata/RHSA-2019:1179

Comment 32 errata-xmlrpc 2019-05-14 19:07:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1168 https://access.redhat.com/errata/RHSA-2019:1168

Comment 33 errata-xmlrpc 2019-05-14 19:08:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1176 https://access.redhat.com/errata/RHSA-2019:1176

Comment 34 errata-xmlrpc 2019-05-14 19:08:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:1170 https://access.redhat.com/errata/RHSA-2019:1170

Comment 35 errata-xmlrpc 2019-05-14 19:08:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:1184 https://access.redhat.com/errata/RHSA-2019:1184

Comment 36 errata-xmlrpc 2019-05-14 19:09:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:1185 https://access.redhat.com/errata/RHSA-2019:1185

Comment 37 errata-xmlrpc 2019-05-14 19:10:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:1182 https://access.redhat.com/errata/RHSA-2019:1182

Comment 38 errata-xmlrpc 2019-05-14 19:10:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:1155 https://access.redhat.com/errata/RHSA-2019:1155

Comment 39 errata-xmlrpc 2019-05-14 19:11:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:1183 https://access.redhat.com/errata/RHSA-2019:1183

Comment 40 errata-xmlrpc 2019-05-14 19:52:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support

Via RHSA-2019:1193 https://access.redhat.com/errata/RHSA-2019:1193

Comment 41 errata-xmlrpc 2019-05-14 19:52:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2019:1196 https://access.redhat.com/errata/RHSA-2019:1196

Comment 42 errata-xmlrpc 2019-05-14 19:52:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support

Via RHSA-2019:1195 https://access.redhat.com/errata/RHSA-2019:1195

Comment 43 errata-xmlrpc 2019-05-14 19:53:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2019:1198 https://access.redhat.com/errata/RHSA-2019:1198

Comment 44 errata-xmlrpc 2019-05-14 20:18:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support
  Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.2 Telco Extended Update Support

Via RHSA-2019:1172 https://access.redhat.com/errata/RHSA-2019:1172

Comment 45 errata-xmlrpc 2019-05-14 20:27:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2019:1190 https://access.redhat.com/errata/RHSA-2019:1190

Comment 46 errata-xmlrpc 2019-05-14 20:30:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support

Via RHSA-2019:1194 https://access.redhat.com/errata/RHSA-2019:1194

Comment 47 errata-xmlrpc 2019-05-14 20:44:14 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 9.0 (Mitaka)

Via RHSA-2019:1199 https://access.redhat.com/errata/RHSA-2019:1199

Comment 48 errata-xmlrpc 2019-05-14 20:44:49 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:1200 https://access.redhat.com/errata/RHSA-2019:1200

Comment 49 errata-xmlrpc 2019-05-14 20:45:17 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 14.0 (Rocky)

Via RHSA-2019:1202 https://access.redhat.com/errata/RHSA-2019:1202

Comment 50 errata-xmlrpc 2019-05-14 20:45:38 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2019:1201 https://access.redhat.com/errata/RHSA-2019:1201

Comment 51 errata-xmlrpc 2019-05-14 20:45:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2019:1171 https://access.redhat.com/errata/RHSA-2019:1171

Comment 52 errata-xmlrpc 2019-05-14 20:46:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2019:1197 https://access.redhat.com/errata/RHSA-2019:1197

Comment 53 errata-xmlrpc 2019-05-14 20:46:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Telco Extended Update Support
  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions

Via RHSA-2019:1187 https://access.redhat.com/errata/RHSA-2019:1187

Comment 54 errata-xmlrpc 2019-05-14 20:46:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Telco Extended Update Support
  Red Hat Enterprise Linux 7.2 Advanced Update Support
  Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions

Via RHSA-2019:1186 https://access.redhat.com/errata/RHSA-2019:1186

Comment 55 errata-xmlrpc 2019-05-14 20:46:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2019:1189 https://access.redhat.com/errata/RHSA-2019:1189

Comment 56 errata-xmlrpc 2019-05-14 20:47:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support
  Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.2 Telco Extended Update Support

Via RHSA-2019:1188 https://access.redhat.com/errata/RHSA-2019:1188

Comment 57 errata-xmlrpc 2019-05-14 21:09:54 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:1203 https://access.redhat.com/errata/RHSA-2019:1203

Comment 58 errata-xmlrpc 2019-05-14 21:10:29 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4.2 for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1204 https://access.redhat.com/errata/RHSA-2019:1204

Comment 59 errata-xmlrpc 2019-05-14 21:10:42 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.3

Via RHSA-2019:1205 https://access.redhat.com/errata/RHSA-2019:1205

Comment 60 errata-xmlrpc 2019-05-14 21:10:53 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.2

Via RHSA-2019:1206 https://access.redhat.com/errata/RHSA-2019:1206

Comment 61 errata-xmlrpc 2019-05-14 21:11:14 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:1207 https://access.redhat.com/errata/RHSA-2019:1207

Comment 62 errata-xmlrpc 2019-05-14 21:11:26 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4.2 for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1209 https://access.redhat.com/errata/RHSA-2019:1209

Comment 63 errata-xmlrpc 2019-05-14 21:11:36 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:1208 https://access.redhat.com/errata/RHSA-2019:1208

Comment 68 errata-xmlrpc 2019-06-11 13:35:46 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.0.0.Z

Via RHSA-2019:1455 https://access.redhat.com/errata/RHSA-2019:1455

Comment 71 errata-xmlrpc 2019-08-22 09:18:32 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
  Red Hat Virtualization Engine 4.3

Via RHSA-2019:2553 https://access.redhat.com/errata/RHSA-2019:2553

Comment 72 msiddiqu 2019-10-09 07:42:30 UTC
Statement:

Red Hat Product Security is aware of this issue. Updates will be released as they become available. For additional information, please refer to the 'Vulnerability Response' URL.

Comment 74 Sam Fowler 2020-05-18 06:33:09 UTC
OpenShift Container Platform 4 does not ship its own kernel package, instead using versions shipped in RHEL. Removing from flaw bug affects.

Comment 75 Sam Fowler 2020-05-18 06:35:41 UTC
OpenShift Container Platform 4 does not ship its own kernel package, instead using versions shipped in RHEL. Removing from flaw bug affects.