Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 663656 (CVE-2018-3615, CVE-2018-3620, CVE-2018-3646, L1TF) - L1 Terminal Fault (L1TF)
Summary: L1 Terminal Fault (L1TF)
Status: RESOLVED FIXED
Alias: CVE-2018-3615, CVE-2018-3620, CVE-2018-3646, L1TF
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.intel.com/content/www/us/...
Whiteboard:
Keywords:
Depends on: 663744
Blocks:
  Show dependency tree
 
Reported: 2018-08-15 02:13 UTC by Kerin Millar
Modified: 2019-08-17 15:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
x86-l1tf-fix-build-error-seen-if-config_kvm_intel-is-disabled.patch (x86-l1tf-fix-build-error-seen-if-config_kvm_intel-is-disabled.patch,1.40 KB, patch)
2018-08-15 19:03 UTC, Kerin Millar
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Kerin Millar 2018-08-15 02:13:27 UTC
From Intel's advisory:

CVE-2018-3615 - L1 Terminal Fault: SGX

Systems with microprocessors utilizing speculative execution and Intel® software guard extensions (Intel® SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.
     
CVE-2018-3620 - L1 Terminal Fault: OS/SMM

Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.

CVE-2018-3646 - L1 Terminal Fault: VMM

Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis.

The Linux admin-guide has been updated, and now contains a section describing the ensuing mitigations:

https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html

In particular, it states that the default mitigations will be as follows:

  * PTE inversion to protect against malicious user space
  * L1D conditional flushing on VMENTER when EPT is enabled for a guest

The stable patch queues for 4.4, 4.9, 4.14 and 4.17 contain a relevant patch series, indicating the the above-mentioned mitigations will land in 4.4.148, 4.9.120, 4.14.63 and 4.17.15.

I have briefly tested the patch series from the 4.14 queue and confirmed that PTE inversion - at least - is in effect:

# cd /sys/devices/system/cpu/vulnerabilities
# grep . *
l1tf:Mitigation: PTE Inversion
meltdown:Mitigation: PTI
spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
spectre_v1:Mitigation: __user pointer sanitization
spectre_v2:Mitigation: Full generic retpoline, IBPB, IBRS_FW
Comment 1 Kerin Millar 2018-08-15 02:24:00 UTC
More information ...

* https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3615
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3620
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646
* https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=958f338
* http://seclists.org/oss-sec/2018/q3/113 (Xen)
* https://blogs.oracle.com/oraclesecurity/intel-l1tf (Oracle)
* https://blogs.technet.microsoft.com/srd/2018/08/14/analysis-and-mitigation-of-l1-terminal-fault-l1tf/ (Microsoft)
* https://youtu.be/n_pa2AisRUs (Intel)
* https://youtu.be/kqg8_KH2OIQ (Red Hat)

The Oracle article states: "Intel reports that the microcode update it has released for the Spectre 3a (CVE-2018-3640) and Spectre 4 (CVE-2018-3639) vulnerabilities also contains the microcode instructions which can be used to mitigate the L1TF vulnerabilities. Updated microcode by itself is not sufficient to protect against L1TF."
Comment 2 Kerin Millar 2018-08-15 02:51:10 UTC
Re-assigning to security@ because this isn't a kernel vulnerability per se.
Comment 3 Kerin Millar 2018-08-15 19:02:57 UTC
4.4.148, 4.9.120, 4.14.63 and 4.17.15 have been released. It was subsequently discovered that a build error occurs if CONFIG_KVM_INTEL is disabled. Therefore, genpatches would need to include the attached patch, which will land in the next round of stable releases.
Comment 4 Kerin Millar 2018-08-15 19:03:38 UTC
Created attachment 543604 [details, diff]
x86-l1tf-fix-build-error-seen-if-config_kvm_intel-is-disabled.patch
Comment 5 Larry the Git Cow gentoo-dev 2018-08-20 23:40:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e74c1453a18c20a8b8018b20a28cb4924440a08c

commit e74c1453a18c20a8b8018b20a28cb4924440a08c
Author:     kuzetsa <kuzetsa@gmail.com>
AuthorDate: 2018-08-16 23:51:13 +0000
Commit:     Göktürk Yüksek <gokturk@gentoo.org>
CommitDate: 2018-08-20 23:37:11 +0000

    sys-kernel/ck-sources: genpatches-4.14-69
    
    Bug: https://bugs.gentoo.org/663656
    Bug: https://bugs.gentoo.org/663744
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 sys-kernel/ck-sources/Manifest                  |  4 ++
 sys-kernel/ck-sources/ck-sources-4.14.63.ebuild | 64 +++++++++++++++++++++++++
 2 files changed, 68 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0f4ed7e4177dd3833429379205e3ffed37c8d2c6

commit 0f4ed7e4177dd3833429379205e3ffed37c8d2c6
Author:     kuzetsa <kuzetsa@gmail.com>
AuthorDate: 2018-08-16 23:49:00 +0000
Commit:     Göktürk Yüksek <gokturk@gentoo.org>
CommitDate: 2018-08-20 23:37:07 +0000

    sys-kernel/ck-sources: genpatches-4.9-124
    
    Bug: https://bugs.gentoo.org/663656
    Bug: https://bugs.gentoo.org/663744
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 sys-kernel/ck-sources/Manifest                  |  3 ++
 sys-kernel/ck-sources/ck-sources-4.9.120.ebuild | 59 +++++++++++++++++++++++++
 2 files changed, 62 insertions(+)