Machine Check Error Avoidance on Page Size Change / CVE-2018-12207 / INTEL-SA-00210

ID 775097
Updated 11/12/2019
Version Latest
Public

author-image

By

Disclosure date:
2019-11-12

Published date:
2019-11-12

Severity rating: 
6.5 Medium

Industry-wide severity ratings can be found in the National Vulnerability Database


Related Content

Machine Check Error Avoidance on Page Size Change

INTEL-SA-00210

List of processors potentially affected by Machine Check Error Avoidance on Page Size Change (2018-2021 tab, Machine Check Error Avoidance column)    

Overview

Recently, Intel discovered that a previously published erratum on some Intel platforms can be exploited by malicious software to potentially cause a denial of service by triggering a machine check that will crash or hang the system. The error code logged for this machine check is 0150H. Refer to Machine Check Error Avoidance on Page Size Change for additional information.

There are a series of errata that have been filed for the instruction fetch unit in multiple generations of Intel processors. The full list is available in the List of Affected Processors section. An example for 6th generation Intel® Core™ processors is shown below.

Table 1. SKL002
SKL002 Instruction Fetch May Cause Machine Check if Page Size Was Changed Without Invalidation
Problem This erratum may cause a machine-check error
(IA32_MCi_STATUS.MCACOD=0150H) on the fetch of an instruction that crosses a 4 KB address boundary. It applies only if all of the following are true:
  1. The 4 KB linear region on which the instruction begins is originally translated using a 4 KB page with the WB memory type
  2. The paging structures are later modified so that the linear region is translated using a large page (2 MB, 4 MB or 1 GB) with the UC memory type.
  3. The instruction fetch occurs after the paging structure modification but before software invalidates any TLB entries for the linear region.
Implication Due to this erratum an unexpected machine check with error code 0150H may occur, possibly resulting in a shutdown. Intel has not observed this erratum with any commercially available software.
Workaround Software should not write to a paging-structure entry in a way that would change, for any linear address, both the page size and the memory type. It can instead use the following algorithm: first clear the P flag in the relevant paging-structure entry (for example, PDE); then invalidate any translations for the affected linear addresses, and then modify the relevant paging-structure entry to set the P flag and establish the new page size and memory type.

Software sequences that may lead to machine check error code 0150H can be summarized as follows:

  1. Code is fetched from a linear address translated using a 4 KB translation cached in the ITLB.
  2. Software modifies the paging structures so that the same linear address is translated using a large page (2 MB, 4 MB, or 1 GB) with a different physical address or memory type.
  3. After the paging structure modification, but before software invalidates any ITLB entries for the linear address, code fetch happens again on the same linear address.
  4. This may cause a machine-check error (IA32_MCi_STATUS.MCACOD=150H), which can result in a system hang or shutdown.

Mitigation

OS Developers

Applications cannot cause an OS to make changes to page tables that would trigger the conditions described in the erratum. Intel has worked with industry partners to ensure that OSes follow the guidelines documented in the Intel® 64 and IA-32 Architectures Software Developer Manuals. There is no known security vulnerability created by this erratum in bare metal OS environments.

VMM Developers

Intel has added a new bit in the IA32_ARCH_CAPABILITIES MSR to current and future generation CPUs to help VMMs and hypervisor software determine if the processor is vulnerable to the page size change MCE issue. Your system may need to apply the latest MCUs to correctly detect the vulnerability.

The page size change MCE issue can be mitigated by applying software algorithms to the VMM/hypervisor. Refer to Machine Check Error Avoidance on Page Size Change for additional information and a list of affected processors.

References

Engineering New Protections Into Hardware

 

Software Security Guidance Home | Advisory Guidance | Technical Documentation | Best Practices | Resources