Bug 1601849 (CVE-2018-10901) - CVE-2018-10901 kernel: kvm: vmx: host GDT limit corruption
Summary: CVE-2018-10901 kernel: kvm: vmx: host GDT limit corruption
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-10901
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1601851 1603328 1603330 1603331 1603332
Blocks: 1596383
TreeView+ depends on / blocked
 
Reported: 2018-07-17 10:41 UTC by Vladis Dronov
Modified: 2021-02-16 23:58 UTC (History)
47 users (show)

Fixed In Version: linux-kernel 2.6.36-rc1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Linux kernel's KVM virtualization subsystem. The VMX code does not restore the GDT.LIMIT to the previous host value, but instead sets it to 64KB. With a corrupted GDT limit a host's userspace code has an ability to place malicious entries in the GDT, particularly to the per-cpu variables. An attacker can use this to escalate their privileges.
Clone Of:
Environment:
Last Closed: 2018-08-24 12:14:06 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2390 0 None None None 2018-08-14 18:26:54 UTC
Red Hat Product Errata RHSA-2018:2391 0 None None None 2018-08-14 20:31:39 UTC
Red Hat Product Errata RHSA-2018:2392 0 None None None 2018-08-14 20:17:43 UTC
Red Hat Product Errata RHSA-2018:2393 0 None None None 2018-08-14 20:20:50 UTC
Red Hat Product Errata RHSA-2018:2394 0 None None None 2018-08-14 20:20:17 UTC

Description Vladis Dronov 2018-07-17 10:41:22 UTC 
A flaw was found in Linux kernel in the KVM virtualization subsystem. The VMX code does not restore the GDT.LIMIT to the previous host value, but instead sets it to 64KB. With a corrupted GDT limit a host's userspace code has an ability to place malicious entries in the GDT, particularly to the per-cpu variables. This can lead to a privilege escalation.

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3444d7da1839b851eefedd372978d8a982316c36
Comment 10 Vladis Dronov 2018-07-26 13:02:30 UTC 
Notes:

Only Red Hat Enterprise Linux 6 is vulnerable to a possible privilege escalation due to this flaw. Other Red Hat products are not vulnerable to this flaw.
Comment 11 Prasad Pandit 2018-08-13 12:25:25 UTC 
Acknowledgments:

Name: Vegard Nossum (Oracle Corporation)
Comment 12 errata-xmlrpc 2018-08-14 18:26:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2390 https://access.redhat.com/errata/RHSA-2018:2390
Comment 13 errata-xmlrpc 2018-08-14 20:17:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Telco Extended Update Support

Via RHSA-2018:2392 https://access.redhat.com/errata/RHSA-2018:2392
Comment 14 errata-xmlrpc 2018-08-14 20:19:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2018:2394 https://access.redhat.com/errata/RHSA-2018:2394
Comment 15 errata-xmlrpc 2018-08-14 20:20:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2018:2393 https://access.redhat.com/errata/RHSA-2018:2393
Comment 16 errata-xmlrpc 2018-08-14 20:31:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2018:2391 https://access.redhat.com/errata/RHSA-2018:2391
Note You need to log in before you can comment on or make changes to this bug.