Bug 1645121 (CVE-2018-18281) - CVE-2018-18281 kernel: TLB flush happens too late on mremap
Summary: CVE-2018-18281 kernel: TLB flush happens too late on mremap
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-18281
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1645122 1645123 1648486 1649634 1649635 1649636 1649637 1772250 1772251 1772252 1772253 1788046
Blocks: 1645124
TreeView+ depends on / blocked
 
Reported: 2018-11-01 12:54 UTC by Andrej Nemec
Modified: 2021-02-16 22:50 UTC (History)
49 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:41:29 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0831 0 None None None 2019-04-23 14:30:34 UTC
Red Hat Product Errata RHSA-2019:2029 0 None None None 2019-08-06 12:04:30 UTC
Red Hat Product Errata RHSA-2019:2043 0 None None None 2019-08-06 12:06:53 UTC
Red Hat Product Errata RHSA-2020:0036 0 None None None 2020-01-07 12:26:26 UTC
Red Hat Product Errata RHSA-2020:0100 0 None None None 2020-01-14 08:04:53 UTC
Red Hat Product Errata RHSA-2020:0103 0 None None None 2020-01-14 15:53:16 UTC
Red Hat Product Errata RHSA-2020:0179 0 None None None 2020-01-21 17:01:58 UTC

Description Andrej Nemec 2018-11-01 12:54:51 UTC 
Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. 

References:

https://seclists.org/oss-sec/2018/q4/108

https://bugs.chromium.org/p/project-zero/issues/detail?id=1695

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eb66ae030829605d61fbef1909ce310e29f78821
Comment 2 Laura Pardo 2018-11-09 21:15:52 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1648486]
Comment 6 Davor 2019-03-15 18:33:44 UTC 
Is there a plan to fix this on RHEL 7 or a way to mitigate / workaround?

Thanks in advance.
Comment 8 Yogendra Jog 2019-04-04 15:41:05 UTC 
nullIn reply to comment #6:
> Is there a plan to fix this on RHEL 7 or a way to mitigate / workaround?
> 
> Thanks in advance.

Hi,

For RHEL 7 fixes, I will recommend you to open a case with Red Hat support if you have an active subscription.  Regarding the mitigation/workaround one of our security analyst shall update this bug if there is there is any mitigation or workaround.

Regards
YOG.
Comment 9 Vladis Dronov 2019-04-04 19:00:42 UTC 
(In reply to Davor from comment #6)
> Is there a plan to fix this on RHEL 7 or a way to mitigate / workaround?

Hello,
Yes, this flaw is going to be fixed in RHEL7. Unfortunately, there is no mitigation as the flaw is in the kernel's core memory management subsystem code. On the other hand we rate this flaw as Moderate severity, as for the moment of this writing there is no known exploit or reproducer or proof-of-concept for RHEL-7.
Comment 10 errata-xmlrpc 2019-04-23 14:30:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0831 https://access.redhat.com/errata/RHSA-2019:0831
Comment 11 errata-xmlrpc 2019-08-06 12:04:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2029
Comment 12 errata-xmlrpc 2019-08-06 12:06:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:2043
Comment 18 errata-xmlrpc 2020-01-07 12:26:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2020:0036 https://access.redhat.com/errata/RHSA-2020:0036
Comment 19 errata-xmlrpc 2020-01-14 08:04:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2020:0100 https://access.redhat.com/errata/RHSA-2020:0100
Comment 20 errata-xmlrpc 2020-01-14 15:53:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:0103 https://access.redhat.com/errata/RHSA-2020:0103
Comment 21 errata-xmlrpc 2020-01-21 17:01:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:0179 https://access.redhat.com/errata/RHSA-2020:0179
Note You need to log in before you can comment on or make changes to this bug.