SUSE Support

Here When You Need Us

Security vulnerability : Machine Check Error Avoidance on Page Size Change denial of service attack / CVE-2018-12207

This document (7023735) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11

Situation

Intel has identified that under specific conditions, interaction of the Instruction Fetch Unit with memory pagetables changes could lead to a crash of the current CPU core with a "Machine Check Error" exception, which might lead to a crash of the whole machine.

While so far this has only been observed happening unintentionally, local attackers would be able to effect this crash if they are in control of pagetable mappings, e.g. when running malicious kernels in an untrusted VM.

Resolution

A software mitigation has been implemented for existing CPUs, where the hypervisor will observe such page table changes and "shatter" huge pages into smaller pages to avoid this issue.

SUSE will provide Linux kernels updates and hypervisors (XEN) to address this problem.

Cause

Additional Information

The following sysfs entry will show the affectedness:

/sys/devices/system/cpu/vulnerabilities/itlb_multihit

This can contain the following states :

Processor vulnerable
The hardware is affected, no mitigation is implemented.

Not affected
The hardware is not affected.

KVM: Mitigation: split huge pages
The hardware is vulnerable and the splitting of huge pages is enabled.

KVM: Vulnerable
The hardware is vulnerable and the splitting of huge pages is not enabled.

Settings :

On the host, the following kernel command line and sysfs options can be used to adjust the mitigation:

kvm.nx_huge_pages=<option>

This controls the workaround for the bug. Valid options are:
force   : Always deploy workaround.
off       : Never deploy workaround.
auto     : Deploy workaround based on presence of the CPU affectedness flag.
 ("auto" is the SUSE default.)

If the workaround is enabled for the host, guests do not need to enable it for nested guests.

This can also be changed in /sys/module/kvm/parameters/nx_huge_pages during run-time, using the same values.

kvm.nx_huge_pages_recovery_ratio=<value>

Controls how many 4KiB pages are periodically zapped back to huge pages.
A value of 0 disables the recovery, otherwise if the value is N,  KVM will zap 1/Nth of the 4KiB pages every minute.

The SUSE default is 60.
This value can also be changed in /sys/module/kvm/parameters/nx_huge_pages_recovery_ratio during run-time using the same values.


Software:
The following packages will be released as updates to mitigate those problems:

- Linux Kernel 
  This is when the KVM hypervisor from the Linux Kernel is used on the host.
  Guest kernels do not need to updated to apply this mitigation.

- XEN Hypervisor
  The XEN hypervisor will need to be updated if it is used as virtualization host.


For detailed information on the issue, please visit :

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7023735
  • Creation Date: 21-Feb-2019
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.