Industry-wide severity ratings can be found in the National Vulnerability Database
Machine Check Error Avoidance on Page Size Change
List of processors potentially affected by Machine Check Error Avoidance on Page Size Change (2018-2021 tab, Machine Check Error Avoidance column)
Recently, Intel discovered that a previously published erratum on some Intel platforms can be exploited by malicious software to potentially cause a denial of service by triggering a machine check that will crash or hang the system. The error code logged for this machine check is 0150H. Refer to Machine Check Error Avoidance on Page Size Change for additional information.
There are a series of errata that have been filed for the instruction fetch unit in multiple generations of Intel processors. The full list is available in the List of Affected Processors section. An example for 6th generation Intel® Core™ processors is shown below.
|SKL002||Instruction Fetch May Cause Machine Check if Page Size Was Changed Without Invalidation|
|Problem||This erratum may cause a machine-check error
(IA32_MCi_STATUS.MCACOD=0150H) on the fetch of an instruction that crosses a 4 KB address boundary. It applies only if all of the following are true:
|Implication||Due to this erratum an unexpected machine check with error code 0150H may occur, possibly resulting in a shutdown. Intel has not observed this erratum with any commercially available software.|
|Workaround||Software should not write to a paging-structure entry in a way that would change, for any linear address, both the page size and the memory type. It can instead use the following algorithm: first clear the P flag in the relevant paging-structure entry (for example, PDE); then invalidate any translations for the affected linear addresses, and then modify the relevant paging-structure entry to set the P flag and establish the new page size and memory type.|
Software sequences that may lead to machine check error code 0150H can be summarized as follows:
- Code is fetched from a linear address translated using a 4 KB translation cached in the ITLB.
- Software modifies the paging structures so that the same linear address is translated using a large page (2 MB, 4 MB, or 1 GB) with a different physical address or memory type.
- After the paging structure modification, but before software invalidates any ITLB entries for the linear address, code fetch happens again on the same linear address.
- This may cause a machine-check error (IA32_MCi_STATUS.MCACOD=150H), which can result in a system hang or shutdown.
Applications cannot cause an OS to make changes to page tables that would trigger the conditions described in the erratum. Intel has worked with industry partners to ensure that OSes follow the guidelines documented in the Intel® 64 and IA-32 Architectures Software Developer Manuals. There is no known security vulnerability created by this erratum in bare metal OS environments.
Intel has added a new bit in the IA32_ARCH_CAPABILITIES MSR to current and future generation CPUs to help VMMs and hypervisor software determine if the processor is vulnerable to the page size change MCE issue. Your system may need to apply the latest MCUs to correctly detect the vulnerability.
The page size change MCE issue can be mitigated by applying software algorithms to the VMM/hypervisor. Refer to Machine Check Error Avoidance on Page Size Change for additional information and a list of affected processors.
Engineering New Protections Into Hardware
Software Security Guidance Home | Advisory Guidance | Technical Documentation | Best Practices | Resources