On 12.11.19 22:21, Paolo Bonzini wrote:
CVE-2018-12207 is a microarchitectural implementation issue that could allow an unprivileged local attacker to cause system wide denial-of-service condition. Privileged software may change the page size (ex. 4KB, 2MB, 1GB) in the paging structures, without following such paging structure changes with invalidation of the TLB entries corresponding to the changed pages. In this case, the attacker could invoke instruction fetch, which will result in the processor hitting multiple TLB entries, reporting a machine check error exception, and ultimately hanging the system. The attached patches mitigate the vulnerability by making huge pages non-executable. The processor will not be able to execute an instruction residing in a large page (ie. 2MB, 1GB, etc.) without causing a trap into the host kernel/hypervisor; KVM will then break the large page into 4KB pages and gives executable permission to 4KB pages.
When reading MCE, error code 0150h, ie. SRAR, I was wondering if that couldn't simply be handled by the host. But I suppose the symptom of that erratum is not "just" regular recoverable MCE, rather sometimes/always an unrecoverable CPU state, despite the error code, right?
Jan -- Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux
