Bug 1782199 (CVE-2019-19339) - CVE-2019-19339 kpatch: hw: incomplete fix for CVE-2018-12207
Summary: CVE-2019-19339 kpatch: hw: incomplete fix for CVE-2018-12207
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-19339
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1779250
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-12-11 12:12 UTC by Petr Matousek
Modified: 2019-12-17 08:09 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that the Red Hat Enterprise Linux 8 kpatch update did not include the complete fix for CVE-2018-12207. A flaw was found in the way Intel CPUs handle inconsistency between, virtual to physical memory address translations in CPU's local cache and system software's Paging structure entries. A privileged guest user may use this flaw to induce a hardware Machine Check Error on the host processor, resulting in a severe DoS scenario by halting the processor. System software like OS OR Virtual Machine Monitor (VMM) use virtual memory system for storing program instructions and data in memory. Virtual Memory system uses Paging structures like Page Tables and Page Directories to manage system memory. The processor's Memory Management Unit (MMU) uses Paging structure entries to translate program's virtual memory addresses to physical memory addresses. The processor stores these address translations into its local cache buffer called - Translation Lookaside Buffer (TLB). TLB has two parts, one for instructions and other for data addresses. System software can modify its Paging structure entries to change address mappings OR certain attributes like page size etc. Upon such Paging structure alterations in memory, system software must invalidate the corresponding address translations in the processor's TLB cache. But before this TLB invalidation takes place, a privileged guest user may trigger an instruction fetch operation, which could use an already cached, but now invalid, virtual to physical address translation from Instruction TLB (ITLB). Thus accessing an invalid physical memory address and resulting in halting the processor due to the Machine Check Error (MCE) on Page Size Change.
Clone Of:
Environment:
Last Closed: 2019-12-17 08:09:26 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:4245 None None None 2019-12-17 07:27:38 UTC

Description Petr Matousek 2019-12-11 12:12:22 UTC
It was found that the Red Hat Enterprise Linux 8 kpatch update did not include the complete fix for CVE-2018-12207, namely did not include commits:]

    [kvm] kvm: mmu: Do not release the page inside mmu_set_spte()
    [kvm] KVM: x86: remove now unneeded hugepage gfn adjustment

from the original IFU patchset.

Comment 1 Petr Matousek 2019-12-11 12:12:26 UTC
Statement:

Red Hat Product Security is aware of this issue. Updates will be released as they become available. For additional information, please refer to the Red Hat Knowledgebase article: https://access.redhat.com/security/vulnerabilities/ifu-page-mce

Comment 2 Petr Matousek 2019-12-11 12:12:29 UTC
Mitigation:

For mitigation related information, please refer to the Red Hat vulnerability article: https://access.redhat.com/security/vulnerabilities/ifu-page-mce .

Comment 4 errata-xmlrpc 2019-12-17 07:27:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:4245 https://access.redhat.com/errata/RHSA-2019:4245

Comment 5 Product Security DevOps Team 2019-12-17 08:09:26 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19339


Note You need to log in before you can comment on or make changes to this bug.