Bug 1781514 (CVE-2019-19338)

Summary: CVE-2019-19338 Kernel: KVM: export MSR_IA32_TSX_CTRL to guest - incomplete fix for TAA (CVE-2019-11135)
Product: [Other] Security Response Reporter: Prasad Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, qzhao, rt-maint, rvrbovsk, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Kernel 5.5 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the fix for CVE-2019-11135, the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-04 14:10:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1779553, 1779766, 1779767, 1779768, 1779771, 1781525, 1781526, 1781527, 1781529, 1781651, 1781652, 1781654, 1781655, 1781656, 1781657, 1781658, 1781659, 1781660, 1781661, 1781662    
Bug Blocks: 1752312    

Description Prasad Pandit 2019-12-10 07:54:32 UTC 
Transaction Asynchronous Abort (TAA) h/w issue, which affects Intel CPUs, is mitigated in two ways.
One is by disabling Transactional Synchronisation Extensions (TSX) feature of the CPU. And second is by
clearing the affected Store/Fill/Load port architectural buffers, which may hold sensitive information
bits.

It was found that the current kernel fixes don't completely fix TAA issue for the guest VMs.
When a guest is running on a host CPU affected by TAA flaw (ie. TAA_NO=0) but not affected by MDS issue
(ie MDS_NO=1), to mitigate TAA issue, guest was to clear the affected buffers by using VERW instruction
mechanism. But when MDS_NO=1 bit was exported to the guests, guest did not quite use the VERW mechanism
to clear the affected buffers.

This issue affects guests running on Cascade Lake CPUs, which are affected by the TAA (ie. TAA_NO=0)
issue, but are not affected by the MDS (ie. MDS_NO=1) issue.

It requires that host has 'TSX' enabled.

Upstream patches:
-----------------
  -> https://git.kernel.org/linus/cbbaa2727aa3ae9e0a844803da7cef7fd3b94f2b
  -> https://git.kernel.org/linus/c11f83e0626bdc2b6c550fc8b9b6eeefbd8cefaa
  -> https://git.kernel.org/linus/b07a5c53d42a8c87b208614129e947dd2338ff9c

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2019/12/10/3
Comment 3 Prasad Pandit 2019-12-10 08:21:12 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1781527]
Comment 9 Prasad Pandit 2019-12-10 11:46:53 UTC 
External References:

https://www.openwall.com/lists/oss-security/2019/12/10/3
https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort
Comment 14 Eric Christensen 2019-12-16 19:04:32 UTC 
Mitigation:

Please refer to the Red Hat Knowledgebase Transactional Synchronization Extensions (TSX) Asynchronous Abort article (https://access.redhat.com/solutions/tsx-asynchronousabort) for mitigation instructions.
Comment 15 Eric Christensen 2020-01-09 01:34:23 UTC 
Statement:

For additional information, please refer to the Red Hat Knowledgebase article: https://access.redhat.com/solutions/tsx-asynchronousabort
Comment 16 errata-xmlrpc 2020-02-04 08:52:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0328 https://access.redhat.com/errata/RHSA-2020:0328
Comment 17 errata-xmlrpc 2020-02-04 13:12:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0339 https://access.redhat.com/errata/RHSA-2020:0339
Comment 18 Product Security DevOps Team 2020-02-04 14:10:05 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19338
Comment 20 errata-xmlrpc 2020-03-17 16:16:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0834 https://access.redhat.com/errata/RHSA-2020:0834
Comment 21 errata-xmlrpc 2020-03-17 16:17:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0839 https://access.redhat.com/errata/RHSA-2020:0839
Comment 23 errata-xmlrpc 2020-04-14 17:40:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:1465 https://access.redhat.com/errata/RHSA-2020:1465