Security vulnerability : Machine Check Error Avoidance on Page Size Change denial of service attack / CVE-2018-12207

This document (7023735) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11

Situation

Intel has identified that under specific conditions, interaction of the Instruction Fetch Unit with memory pagetables changes could lead to a crash of the current CPU core with a "Machine Check Error" exception, which might lead to a crash of the whole machine.

While so far this has only been observed happening unintentionally, local attackers would be able to effect this crash if they are in control of pagetable mappings, e.g. when running malicious kernels in an untrusted VM.

Resolution

A software mitigation has been implemented for existing CPUs, where the hypervisor will observe such page table changes and "shatter" huge pages into smaller pages to avoid this issue.

SUSE will provide Linux kernels updates and hypervisors (XEN) to address this problem.

Cause

CVE-2018-12207

Additional Information

The following sysfs entry will show the affectedness:

/sys/devices/system/cpu/vulnerabilities/itlb_multihit

This can contain the following states :

Processor vulnerable

The hardware is affected, no mitigation is implemented.

Not affected

The hardware is not affected.

KVM: Mitigation: split huge pages

The hardware is vulnerable and the splitting of huge pages is enabled.

KVM: Vulnerable

The hardware is vulnerable and the splitting of huge pages is not enabled.

Settings :

On the host, the following kernel command line and sysfs options can be used to adjust the mitigation:

kvm.nx_huge_pages=<option>

This controls the workaround for the bug. Valid options are:

force : Always deploy workaround.

off : Never deploy workaround.

auto : Deploy workaround based on presence of the CPU affectedness flag.

("auto" is the SUSE default.)

If the workaround is enabled for the host, guests do not need to enable it for nested guests.

This can also be changed in /sys/module/kvm/parameters/nx_huge_pages during run-time, using the same values.

kvm.nx_huge_pages_recovery_ratio=<value>

Controls how many 4KiB pages are periodically zapped back to huge pages.

A value of 0 disables the recovery, otherwise if the value is N, KVM will zap 1/Nth of the 4KiB pages every minute.

The SUSE default is 60.

This value can also be changed in /sys/module/kvm/parameters/nx_huge_pages_recovery_ratio during run-time using the same values.

Software:

The following packages will be released as updates to mitigate those problems:

- Linux Kernel

This is when the KVM hypervisor from the Linux Kernel is used on the host.

Guest kernels do not need to updated to apply this mitigation.

- XEN Hypervisor

The XEN hypervisor will need to be updated if it is used as virtualization host.

For detailed information on the issue, please visit :

https://software.intel.com/security-software-guidance/insights/deep-dive-machine-check-error-avoidance-page-size-change

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.