Bug 1646781 (CVE-2018-12126) - CVE-2018-12126 hardware: Microarchitectural Store Buffer Data Sampling (MSBDS)
Summary: CVE-2018-12126 hardware: Microarchitectural Store Buffer Data Sampling (MSBDS)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-12126
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190514:1700,...
Depends On: 1690338 1690339 1690341 1693220 1698770 1698774 1698793 1698797 1703295 1703297 1703298 1704533 1704545 1704546 1710830 1716262 1690335 1690337 1690340 1692386 1692597 1693216 1693217 1693219 1693221 1693222 1693243 1697550 1697551 1698769 1698771 1698772 1698773 1698775 1698776 1698777 1698778 1698779 1698780 1698781 1698782 1698783 1698784 1698785 1698786 1698787 1698788 1698789 1698790 1698791 1698792 1698794 1698795 1698796 1698798 1698799 1698800 1698809 1698810 1703296 1703299 1703300 1704534 1704535 1704536 1704548 1704549 1704550 1704551 1704611 1704612 1704613 1704614 1704615 1704616 1704617 1704985 1707262 1709976 1709977 1710002 1716254
Blocks: 1646797 1705393 1705394 1705395 1705397 1705398 1705399
TreeView+ depends on / blocked
 
Reported: 2018-11-06 02:09 UTC by Wade Mealing
Modified: 2019-06-20 11:00 UTC (History)
116 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Modern Intel microprocessors implement hardware-level micro-optimizations to improve the performance of writing data back to CPU caches. The write operation is split into STA (STore Address) and STD (STore Data) sub-operations. These sub-operations allow the processor to hand-off address generation logic into these sub-operations for optimized writes. Both of these sub-operations write to a shared distributed processor structure called the 'processor store buffer'. As a result, an unprivileged attacker could use this flaw to read private data resident within the CPU's processor store buffer.
Clone Of:
Environment:
Last Closed: 2019-05-22 15:08:48 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:1241 None None None 2019-05-16 19:29:34 UTC
Red Hat Product Errata RHBA-2019:1242 None None None 2019-05-16 19:28:50 UTC
Red Hat Product Errata RHSA-2019:1155 None None None 2019-05-14 19:10:51 UTC
Red Hat Product Errata RHSA-2019:1167 None None None 2019-05-14 18:13:51 UTC
Red Hat Product Errata RHSA-2019:1168 None None None 2019-05-14 19:07:48 UTC
Red Hat Product Errata RHSA-2019:1169 None None None 2019-05-14 18:30:39 UTC
Red Hat Product Errata RHSA-2019:1170 None None None 2019-05-14 19:08:37 UTC
Red Hat Product Errata RHSA-2019:1171 None None None 2019-05-14 20:45:53 UTC
Red Hat Product Errata RHSA-2019:1172 None None None 2019-05-14 20:18:56 UTC
Red Hat Product Errata RHSA-2019:1174 None None None 2019-05-14 18:14:04 UTC
Red Hat Product Errata RHSA-2019:1175 None None None 2019-05-14 18:13:32 UTC
Red Hat Product Errata RHSA-2019:1176 None None None 2019-05-14 19:08:04 UTC
Red Hat Product Errata RHSA-2019:1177 None None None 2019-05-14 19:07:08 UTC
Red Hat Product Errata RHSA-2019:1178 None None None 2019-05-14 19:07:22 UTC
Red Hat Product Errata RHSA-2019:1179 None None None 2019-05-14 19:07:33 UTC
Red Hat Product Errata RHSA-2019:1180 None None None 2019-05-14 18:31:05 UTC
Red Hat Product Errata RHSA-2019:1181 None None None 2019-05-14 18:31:47 UTC
Red Hat Product Errata RHSA-2019:1182 None None None 2019-05-14 19:10:20 UTC
Red Hat Product Errata RHSA-2019:1183 None None None 2019-05-14 19:11:07 UTC
Red Hat Product Errata RHSA-2019:1184 None None None 2019-05-14 19:08:52 UTC
Red Hat Product Errata RHSA-2019:1185 None None None 2019-05-14 19:09:03 UTC
Red Hat Product Errata RHSA-2019:1186 None None None 2019-05-14 20:46:45 UTC
Red Hat Product Errata RHSA-2019:1187 None None None 2019-05-14 20:46:22 UTC
Red Hat Product Errata RHSA-2019:1188 None None None 2019-05-14 20:47:04 UTC
Red Hat Product Errata RHSA-2019:1189 None None None 2019-05-14 20:47:17 UTC
Red Hat Product Errata RHSA-2019:1190 None None None 2019-05-14 20:27:00 UTC
Red Hat Product Errata RHSA-2019:1193 None None None 2019-05-14 19:52:04 UTC
Red Hat Product Errata RHSA-2019:1194 None None None 2019-05-14 20:30:00 UTC
Red Hat Product Errata RHSA-2019:1195 None None None 2019-05-14 19:52:49 UTC
Red Hat Product Errata RHSA-2019:1196 None None None 2019-05-14 19:52:28 UTC
Red Hat Product Errata RHSA-2019:1197 None None None 2019-05-14 20:46:05 UTC
Red Hat Product Errata RHSA-2019:1198 None None None 2019-05-14 19:53:00 UTC
Red Hat Product Errata RHSA-2019:1199 None None None 2019-05-14 20:44:17 UTC
Red Hat Product Errata RHSA-2019:1200 None None None 2019-05-14 20:44:43 UTC
Red Hat Product Errata RHSA-2019:1201 None None None 2019-05-14 20:45:32 UTC
Red Hat Product Errata RHSA-2019:1202 None None None 2019-05-14 20:45:11 UTC
Red Hat Product Errata RHSA-2019:1203 None None None 2019-05-14 21:10:03 UTC
Red Hat Product Errata RHSA-2019:1204 None None None 2019-05-14 21:10:21 UTC
Red Hat Product Errata RHSA-2019:1205 None None None 2019-05-14 21:10:36 UTC
Red Hat Product Errata RHSA-2019:1206 None None None 2019-05-14 21:10:57 UTC
Red Hat Product Errata RHSA-2019:1207 None None None 2019-05-14 21:11:09 UTC
Red Hat Product Errata RHSA-2019:1208 None None None 2019-05-14 21:11:40 UTC
Red Hat Product Errata RHSA-2019:1209 None None None 2019-05-14 21:11:20 UTC
Red Hat Product Errata RHSA-2019:1455 None None None 2019-06-11 13:35:47 UTC

Description Wade Mealing 2018-11-06 02:09:52 UTC
A flaw was found in many Intel microprocessor designs related to possible information leak of the processor store buffer structure which contains recent stores (writes) to memory..

Modern Intel microprocessors implement hardware-level micro-optimizations to improve the performance of writing data back to CPU caches. The write operation is split into STA (STore Address) and STD (STore Data) sub-operations. These sub-operations allow the processor to hand-off address generation logic into these sub-operations for optimized writes. Both of these sub-operations write to a shared distributed processor structure called the 'processor store buffer'.

The processor store buffer is conceptually a table of address, value, and 'is valid' entries. As the sub-operations can execute independently of each other, they can each update the address, and/or value columns of the table independently. This means that at different points in time the address or value may be invalid. 


The processor may speculatively forward entries from the store buffer. The split design used allows for such forwarding to speculatively use stale values, such as the wrong address, returning data from a previous unrelated store. Since this only occurs for loads that will be reissued following the fault/assist resolution, the program is not architecturally impacted, but store buffer state can be leaked to malicious code carefully crafted to retrieve this data via side-channel analysis.

The processor store buffer entries are equally divided between the number of active Hyper-Threads. Conditions such as power-state change can reallocate the processor store buffer entries in a half-updated state to another thread without ensuring that the entries have been cleared.



Additional information:
https://access.redhat.com/security/vulnerabilities/mds

Upstream fixes:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fa4bff165070dc40a3de35b78e4f8da8e8d85ec5


Intel Advisory:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html

Comment 18 Wade Mealing 2019-05-02 00:25:52 UTC
Acknowledgements:

Red Hat thanks Intel and industry partners for reporting this issue and collaborating on the mitigations for the same.  

This vulnerability was found internally by Intel employees.  Intel would like to thank Ke Sun, Henrique Kawakami, Kekai Hu and Rodrigo Branco. It was independently reported by Lei Shi - Qihoo - 360 CERT and by Marina Minkin1, Daniel Moghimi2, Moritz Lipp3, Michael Schwarz3, Jo Van Bulck4, Daniel Genkin1, Daniel Gruss3, Berk Sunar2, Frank Piessens4, Yuval Yarom5 (1University of Michigan, 2Worcester Polytechnic Institute, 3Graz University of Technology, 4imec-DistriNet, KU Leuven, 5University of Adelaide).

Comment 19 Wade Mealing 2019-05-06 10:37:38 UTC
Statement:

Red Hat Product Security is aware of this issue. Updates will be released as they become available. For additional information, please refer to the Red Hat Knowledgebase article:  https://access.redhat.com/security/vulnerabilities/mds

Comment 23 Wade Mealing 2019-05-14 17:11:56 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1709976]


Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1709977]

Comment 25 errata-xmlrpc 2019-05-14 18:13:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1175 https://access.redhat.com/errata/RHSA-2019:1175

Comment 26 errata-xmlrpc 2019-05-14 18:13:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1167 https://access.redhat.com/errata/RHSA-2019:1167

Comment 27 errata-xmlrpc 2019-05-14 18:14:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1174 https://access.redhat.com/errata/RHSA-2019:1174

Comment 28 errata-xmlrpc 2019-05-14 18:30:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:1169 https://access.redhat.com/errata/RHSA-2019:1169

Comment 29 errata-xmlrpc 2019-05-14 18:31:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:1180 https://access.redhat.com/errata/RHSA-2019:1180

Comment 30 errata-xmlrpc 2019-05-14 18:31:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:1181 https://access.redhat.com/errata/RHSA-2019:1181

Comment 31 errata-xmlrpc 2019-05-14 19:07:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1177 https://access.redhat.com/errata/RHSA-2019:1177

Comment 32 errata-xmlrpc 2019-05-14 19:07:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1178 https://access.redhat.com/errata/RHSA-2019:1178

Comment 33 errata-xmlrpc 2019-05-14 19:07:29 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:1179 https://access.redhat.com/errata/RHSA-2019:1179

Comment 34 errata-xmlrpc 2019-05-14 19:07:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1168 https://access.redhat.com/errata/RHSA-2019:1168

Comment 35 errata-xmlrpc 2019-05-14 19:07:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1176 https://access.redhat.com/errata/RHSA-2019:1176

Comment 36 errata-xmlrpc 2019-05-14 19:08:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:1170 https://access.redhat.com/errata/RHSA-2019:1170

Comment 37 errata-xmlrpc 2019-05-14 19:08:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:1184 https://access.redhat.com/errata/RHSA-2019:1184

Comment 38 errata-xmlrpc 2019-05-14 19:08:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:1185 https://access.redhat.com/errata/RHSA-2019:1185

Comment 39 errata-xmlrpc 2019-05-14 19:10:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:1182 https://access.redhat.com/errata/RHSA-2019:1182

Comment 40 errata-xmlrpc 2019-05-14 19:10:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:1155 https://access.redhat.com/errata/RHSA-2019:1155

Comment 41 errata-xmlrpc 2019-05-14 19:11:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:1183 https://access.redhat.com/errata/RHSA-2019:1183

Comment 42 errata-xmlrpc 2019-05-14 19:52:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support

Via RHSA-2019:1193 https://access.redhat.com/errata/RHSA-2019:1193

Comment 43 errata-xmlrpc 2019-05-14 19:52:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2019:1196 https://access.redhat.com/errata/RHSA-2019:1196

Comment 44 errata-xmlrpc 2019-05-14 19:52:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support

Via RHSA-2019:1195 https://access.redhat.com/errata/RHSA-2019:1195

Comment 45 errata-xmlrpc 2019-05-14 19:52:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2019:1198 https://access.redhat.com/errata/RHSA-2019:1198

Comment 46 errata-xmlrpc 2019-05-14 20:18:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support
  Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.2 Telco Extended Update Support

Via RHSA-2019:1172 https://access.redhat.com/errata/RHSA-2019:1172

Comment 47 errata-xmlrpc 2019-05-14 20:26:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2019:1190 https://access.redhat.com/errata/RHSA-2019:1190

Comment 48 errata-xmlrpc 2019-05-14 20:29:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support

Via RHSA-2019:1194 https://access.redhat.com/errata/RHSA-2019:1194

Comment 49 errata-xmlrpc 2019-05-14 20:44:13 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 9.0 (Mitaka)

Via RHSA-2019:1199 https://access.redhat.com/errata/RHSA-2019:1199

Comment 50 errata-xmlrpc 2019-05-14 20:44:38 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:1200 https://access.redhat.com/errata/RHSA-2019:1200

Comment 51 errata-xmlrpc 2019-05-14 20:45:06 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 14.0 (Rocky)

Via RHSA-2019:1202 https://access.redhat.com/errata/RHSA-2019:1202

Comment 52 errata-xmlrpc 2019-05-14 20:45:28 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2019:1201 https://access.redhat.com/errata/RHSA-2019:1201

Comment 53 errata-xmlrpc 2019-05-14 20:45:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2019:1171 https://access.redhat.com/errata/RHSA-2019:1171

Comment 54 errata-xmlrpc 2019-05-14 20:46:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2019:1197 https://access.redhat.com/errata/RHSA-2019:1197

Comment 55 errata-xmlrpc 2019-05-14 20:46:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Telco Extended Update Support
  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions

Via RHSA-2019:1187 https://access.redhat.com/errata/RHSA-2019:1187

Comment 56 errata-xmlrpc 2019-05-14 20:46:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Telco Extended Update Support
  Red Hat Enterprise Linux 7.2 Advanced Update Support
  Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions

Via RHSA-2019:1186 https://access.redhat.com/errata/RHSA-2019:1186

Comment 57 errata-xmlrpc 2019-05-14 20:46:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2019:1189 https://access.redhat.com/errata/RHSA-2019:1189

Comment 58 errata-xmlrpc 2019-05-14 20:46:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support
  Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.2 Telco Extended Update Support

Via RHSA-2019:1188 https://access.redhat.com/errata/RHSA-2019:1188

Comment 59 errata-xmlrpc 2019-05-14 20:47:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2019:1189 https://access.redhat.com/errata/RHSA-2019:1189

Comment 60 errata-xmlrpc 2019-05-14 21:09:54 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:1203 https://access.redhat.com/errata/RHSA-2019:1203

Comment 61 errata-xmlrpc 2019-05-14 21:10:13 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4.2 for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1204 https://access.redhat.com/errata/RHSA-2019:1204

Comment 62 errata-xmlrpc 2019-05-14 21:10:31 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.3

Via RHSA-2019:1205 https://access.redhat.com/errata/RHSA-2019:1205

Comment 63 errata-xmlrpc 2019-05-14 21:10:53 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.2

Via RHSA-2019:1206 https://access.redhat.com/errata/RHSA-2019:1206

Comment 64 errata-xmlrpc 2019-05-14 21:11:04 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:1207 https://access.redhat.com/errata/RHSA-2019:1207

Comment 65 errata-xmlrpc 2019-05-14 21:11:15 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4.2 for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1209 https://access.redhat.com/errata/RHSA-2019:1209

Comment 66 errata-xmlrpc 2019-05-14 21:11:36 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:1208 https://access.redhat.com/errata/RHSA-2019:1208

Comment 71 errata-xmlrpc 2019-06-11 13:35:42 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.0.0.Z

Via RHSA-2019:1455 https://access.redhat.com/errata/RHSA-2019:1455


Note You need to log in before you can comment on or make changes to this bug.