Bug 1645121 (CVE-2018-18281) - CVE-2018-18281 kernel: TLB flush happens too late on mremap
Summary: CVE-2018-18281 kernel: TLB flush happens too late on mremap
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-18281
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20181018,repor...
Depends On: 1649636 1645122 1645123 1648486 1649634 1649635 1649637
Blocks: 1645124
TreeView+ depends on / blocked
 
Reported: 2018-11-01 12:54 UTC by Andrej Nemec
Modified: 2019-08-16 02:20 UTC (History)
49 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:41:29 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0831 None None None 2019-04-23 14:30:34 UTC
Red Hat Product Errata RHSA-2019:2029 None None None 2019-08-06 12:04:30 UTC
Red Hat Product Errata RHSA-2019:2043 None None None 2019-08-06 12:06:53 UTC

Description Andrej Nemec 2018-11-01 12:54:51 UTC
Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. 

References:

https://seclists.org/oss-sec/2018/q4/108

https://bugs.chromium.org/p/project-zero/issues/detail?id=1695

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eb66ae030829605d61fbef1909ce310e29f78821

Comment 2 Laura Pardo 2018-11-09 21:15:52 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1648486]

Comment 6 Davor 2019-03-15 18:33:44 UTC
Is there a plan to fix this on RHEL 7 or a way to mitigate / workaround?

Thanks in advance.

Comment 8 Yogendra Jog 2019-04-04 15:41:05 UTC
nullIn reply to comment #6:
> Is there a plan to fix this on RHEL 7 or a way to mitigate / workaround?
> 
> Thanks in advance.

Hi,

For RHEL 7 fixes, I will recommend you to open a case with Red Hat support if you have an active subscription.  Regarding the mitigation/workaround one of our security analyst shall update this bug if there is there is any mitigation or workaround.

Regards
YOG.

Comment 9 Vladis Dronov 2019-04-04 19:00:42 UTC
(In reply to Davor from comment #6)
> Is there a plan to fix this on RHEL 7 or a way to mitigate / workaround?

Hello,
Yes, this flaw is going to be fixed in RHEL7. Unfortunately, there is no mitigation as the flaw is in the kernel's core memory management subsystem code. On the other hand we rate this flaw as Moderate severity, as for the moment of this writing there is no known exploit or reproducer or proof-of-concept for RHEL-7.

Comment 10 errata-xmlrpc 2019-04-23 14:30:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0831 https://access.redhat.com/errata/RHSA-2019:0831

Comment 11 errata-xmlrpc 2019-08-06 12:04:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2029

Comment 12 errata-xmlrpc 2019-08-06 12:06:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:2043


Note You need to log in before you can comment on or make changes to this bug.