Bug 1601849 (CVE-2018-10901) - CVE-2018-10901 kernel: kvm: vmx: host GDT limit corruption
Summary: CVE-2018-10901 kernel: kvm: vmx: host GDT limit corruption
Status: CLOSED ERRATA
Alias: CVE-2018-10901
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20100802,repo...
Keywords: Security
Depends On: 1601851 1603328 1603330 1603331 1603332
Blocks: 1596383
TreeView+ depends on / blocked
 
Reported: 2018-07-17 10:41 UTC by Vladis Dronov
Modified: 2018-09-20 07:48 UTC (History)
47 users (show)

Fixed In Version: linux-kernel 2.6.36-rc1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Linux kernel's KVM virtualization subsystem. The VMX code does not restore the GDT.LIMIT to the previous host value, but instead sets it to 64KB. With a corrupted GDT limit a host's userspace code has an ability to place malicious entries in the GDT, particularly to the per-cpu variables. An attacker can use this to escalate their privileges.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-08-24 12:14:06 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2390 None None None 2018-08-14 18:26 UTC
Red Hat Product Errata RHSA-2018:2391 None None None 2018-08-14 20:31 UTC
Red Hat Product Errata RHSA-2018:2392 None None None 2018-08-14 20:17 UTC
Red Hat Product Errata RHSA-2018:2393 None None None 2018-08-14 20:20 UTC
Red Hat Product Errata RHSA-2018:2394 None None None 2018-08-14 20:20 UTC

Description Vladis Dronov 2018-07-17 10:41:22 UTC
A flaw was found in Linux kernel in the KVM virtualization subsystem. The VMX code does not restore the GDT.LIMIT to the previous host value, but instead sets it to 64KB. With a corrupted GDT limit a host's userspace code has an ability to place malicious entries in the GDT, particularly to the per-cpu variables. This can lead to a privilege escalation.

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3444d7da1839b851eefedd372978d8a982316c36

Comment 10 Vladis Dronov 2018-07-26 13:02:30 UTC
Notes:

Only Red Hat Enterprise Linux 6 is vulnerable to a possible privilege escalation due to this flaw. Other Red Hat products are not vulnerable to this flaw.

Comment 11 Prasad J Pandit 2018-08-13 12:25:25 UTC
Acknowledgments:

Name: Vegard Nossum (Oracle Corporation)

Comment 12 errata-xmlrpc 2018-08-14 18:26:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2390 https://access.redhat.com/errata/RHSA-2018:2390

Comment 13 errata-xmlrpc 2018-08-14 20:17:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Telco Extended Update Support

Via RHSA-2018:2392 https://access.redhat.com/errata/RHSA-2018:2392

Comment 14 errata-xmlrpc 2018-08-14 20:19:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2018:2394 https://access.redhat.com/errata/RHSA-2018:2394

Comment 15 errata-xmlrpc 2018-08-14 20:20:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2018:2393 https://access.redhat.com/errata/RHSA-2018:2393

Comment 16 errata-xmlrpc 2018-08-14 20:31:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2018:2391 https://access.redhat.com/errata/RHSA-2018:2391


Note You need to log in before you can comment on or make changes to this bug.