Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1601849 - (CVE-2018-10901) CVE-2018-10901 kernel: kvm: vmx: host GDT limit corruption
CVE-2018-10901 kernel: kvm: vmx: host GDT limit corruption
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20100802,repo...
: Security
Depends On: 1601851 1603328 1603330 1603331 1603332
Blocks: 1596383
  Show dependency treegraph
 
Reported: 2018-07-17 06:41 EDT by Vladis Dronov
Modified: 2018-09-20 03:48 EDT (History)
47 users (show)

See Also:
Fixed In Version: linux-kernel 2.6.36-rc1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Linux kernel's KVM virtualization subsystem. The VMX code does not restore the GDT.LIMIT to the previous host value, but instead sets it to 64KB. With a corrupted GDT limit a host's userspace code has an ability to place malicious entries in the GDT, particularly to the per-cpu variables. An attacker can use this to escalate their privileges.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-08-24 08:14:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2390 None None None 2018-08-14 14:26 EDT
Red Hat Product Errata RHSA-2018:2391 None None None 2018-08-14 16:31 EDT
Red Hat Product Errata RHSA-2018:2392 None None None 2018-08-14 16:17 EDT
Red Hat Product Errata RHSA-2018:2393 None None None 2018-08-14 16:20 EDT
Red Hat Product Errata RHSA-2018:2394 None None None 2018-08-14 16:20 EDT

  None (edit)
Description Vladis Dronov 2018-07-17 06:41:22 EDT 
A flaw was found in Linux kernel in the KVM virtualization subsystem. The VMX code does not restore the GDT.LIMIT to the previous host value, but instead sets it to 64KB. With a corrupted GDT limit a host's userspace code has an ability to place malicious entries in the GDT, particularly to the per-cpu variables. This can lead to a privilege escalation.

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3444d7da1839b851eefedd372978d8a982316c36
Comment 10 Vladis Dronov 2018-07-26 09:02:30 EDT 
Notes:

Only Red Hat Enterprise Linux 6 is vulnerable to a possible privilege escalation due to this flaw. Other Red Hat products are not vulnerable to this flaw.
Comment 11 Prasad J Pandit 2018-08-13 08:25:25 EDT 
Acknowledgments:

Name: Vegard Nossum (Oracle Corporation)
Comment 12 errata-xmlrpc 2018-08-14 14:26:35 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2390 https://access.redhat.com/errata/RHSA-2018:2390
Comment 13 errata-xmlrpc 2018-08-14 16:17:28 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Telco Extended Update Support

Via RHSA-2018:2392 https://access.redhat.com/errata/RHSA-2018:2392
Comment 14 errata-xmlrpc 2018-08-14 16:19:58 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2018:2394 https://access.redhat.com/errata/RHSA-2018:2394
Comment 15 errata-xmlrpc 2018-08-14 16:20:33 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2018:2393 https://access.redhat.com/errata/RHSA-2018:2393
Comment 16 errata-xmlrpc 2018-08-14 16:31:22 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2018:2391 https://access.redhat.com/errata/RHSA-2018:2391
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.