Bug 1781514 (CVE-2019-19338) - CVE-2019-19338 Kernel: KVM: export MSR_IA32_TSX_CTRL to guest - incomplete fix for TAA (CVE-2019-11135)
Summary: CVE-2019-19338 Kernel: KVM: export MSR_IA32_TSX_CTRL to guest - incomplete fi...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-19338
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1779553 1779766 1779767 1779768 1779771 1781525 1781526 1781527 1781529 1781651 1781652 1781654 1781655 1781656 1781657 1781658 1781659 1781660 1781661 1781662
Blocks: 1752312
TreeView+ depends on / blocked
 
Reported: 2019-12-10 07:54 UTC by Prasad J Pandit
Modified: 2020-08-13 13:55 UTC (History)
45 users (show)

Fixed In Version: Kernel 5.5
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the fix for CVE-2019-11135, the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability.
Clone Of:
Environment:
Last Closed: 2020-02-04 14:10:05 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:0455 None None None 2020-02-10 01:49:07 UTC
Red Hat Product Errata RHBA-2020:0554 None None None 2020-02-19 21:45:13 UTC
Red Hat Product Errata RHBA-2020:0890 None None None 2020-03-18 07:42:23 UTC
Red Hat Product Errata RHBA-2020:0894 None None None 2020-03-18 15:16:53 UTC
Red Hat Product Errata RHBA-2020:0900 None None None 2020-03-19 09:34:29 UTC
Red Hat Product Errata RHBA-2020:1430 None None None 2020-04-14 08:23:38 UTC
Red Hat Product Errata RHBA-2020:1431 None None None 2020-04-14 08:15:26 UTC
Red Hat Product Errata RHBA-2020:1432 None None None 2020-04-14 08:15:37 UTC
Red Hat Product Errata RHSA-2020:0328 None None None 2020-02-04 08:52:36 UTC
Red Hat Product Errata RHSA-2020:0339 None None None 2020-02-04 13:12:24 UTC
Red Hat Product Errata RHSA-2020:0834 None None None 2020-03-17 16:16:47 UTC
Red Hat Product Errata RHSA-2020:0839 None None None 2020-03-17 16:18:00 UTC
Red Hat Product Errata RHSA-2020:1465 None None None 2020-04-14 17:40:26 UTC

Description Prasad J Pandit 2019-12-10 07:54:32 UTC
Transaction Asynchronous Abort (TAA) h/w issue, which affects Intel CPUs, is mitigated in two ways.
One is by disabling Transactional Synchronisation Extensions (TSX) feature of the CPU. And second is by
clearing the affected Store/Fill/Load port architectural buffers, which may hold sensitive information
bits.

It was found that the current kernel fixes don't completely fix TAA issue for the guest VMs.
When a guest is running on a host CPU affected by TAA flaw (ie. TAA_NO=0) but not affected by MDS issue
(ie MDS_NO=1), to mitigate TAA issue, guest was to clear the affected buffers by using VERW instruction
mechanism. But when MDS_NO=1 bit was exported to the guests, guest did not quite use the VERW mechanism
to clear the affected buffers.

This issue affects guests running on Cascade Lake CPUs, which are affected by the TAA (ie. TAA_NO=0)
issue, but are not affected by the MDS (ie. MDS_NO=1) issue.

It requires that host has 'TSX' enabled.

Upstream patches:
-----------------
  -> https://git.kernel.org/linus/cbbaa2727aa3ae9e0a844803da7cef7fd3b94f2b
  -> https://git.kernel.org/linus/c11f83e0626bdc2b6c550fc8b9b6eeefbd8cefaa
  -> https://git.kernel.org/linus/b07a5c53d42a8c87b208614129e947dd2338ff9c

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2019/12/10/3

Comment 3 Prasad J Pandit 2019-12-10 08:21:12 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1781527]

Comment 14 Eric Christensen 2019-12-16 19:04:32 UTC
Mitigation:

Please refer to the Red Hat Knowledgebase Transactional Synchronization Extensions (TSX) Asynchronous Abort article (https://access.redhat.com/solutions/tsx-asynchronousabort) for mitigation instructions.

Comment 15 Eric Christensen 2020-01-09 01:34:23 UTC
Statement:

For additional information, please refer to the Red Hat Knowledgebase article: https://access.redhat.com/solutions/tsx-asynchronousabort

Comment 16 errata-xmlrpc 2020-02-04 08:52:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0328 https://access.redhat.com/errata/RHSA-2020:0328

Comment 17 errata-xmlrpc 2020-02-04 13:12:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0339 https://access.redhat.com/errata/RHSA-2020:0339

Comment 18 Product Security DevOps Team 2020-02-04 14:10:05 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19338

Comment 20 errata-xmlrpc 2020-03-17 16:16:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0834 https://access.redhat.com/errata/RHSA-2020:0834

Comment 21 errata-xmlrpc 2020-03-17 16:17:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0839 https://access.redhat.com/errata/RHSA-2020:0839

Comment 23 errata-xmlrpc 2020-04-14 17:40:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:1465 https://access.redhat.com/errata/RHSA-2020:1465


Note You need to log in before you can comment on or make changes to this bug.