Security Software

Machine Check Error Avoidance on Page Size Change / CVE-2018-12207 / INTEL-SA-00210

2019-11-12
2019-11-12
6.5

Medium

Industry-wide severity ratings can be found in the National Vulnerability Database

Critical
Medium
High
Low

Overview

Recently, Intel discovered that a previously published erratum on some Intel platforms can be exploited by malicious software to potentially cause a denial of service by triggering a machine check that will crash or hang the system. The error code logged for this machine check is 0150H. Refer to the Deep Dive: Machine Check Error Avoidance on Page Size Change for additional information.

There are a series of errata that have been filed for the instruction fetch unit in multiple generations of Intel processors. The full list is available in the List of Affected Processors section. An example for 6th generation Intel® Core™ processors is shown below.

Table 1: SKL002
SKL002 Instruction Fetch May Cause Machine Check if Page Size Was Changed Without Invalidation
Problem This erratum may cause a machine-check error
(IA32_MCi_STATUS.MCACOD=0150H) on the fetch of an instruction that crosses a 4 KB address boundary. It applies only if all of the following are true:
  1. The 4 KB linear region on which the instruction begins is originally translated using a 4 KB page with the WB memory type
  2. The paging structures are later modified so that the linear region is translated using a large page (2 MB, 4 MB or 1 GB) with the UC memory type.
  3. The instruction fetch occurs after the paging structure modification but before software invalidates any TLB entries for the linear region.
Implication Due to this erratum an unexpected machine check with error code 0150H may occur, possibly resulting in a shutdown. Intel has not observed this erratum with any commercially available software.
Workaround Software should not write to a paging-structure entry in a way that would change, for any linear address, both the page size and the memory type. It can instead use the following algorithm: first clear the P flag in the relevant paging-structure entry (for example, PDE); then invalidate any translations for the affected linear addresses, and then modify the relevant paging-structure entry to set the P flag and establish the new page size and memory type.

Software sequences that may lead to machine check error code 0150H can be summarized as follows:

  1. Code is fetched from a linear address translated using a 4 KB translation cached in the ITLB.
  2. Software modifies the paging structures so that the same linear address is translated using a large page (2 MB, 4 MB, or 1 GB) with a different physical address or memory type.
  3. After the paging structure modification, but before software invalidates any ITLB entries for the linear address, code fetch happens again on the same linear address.
  4. This may cause a machine-check error (IA32_MCi_STATUS.MCACOD=150H), which can result in a system hang or shutdown.

Mitigation

OS Developers

Applications cannot cause an OS to make changes to page tables that would trigger the conditions described in the erratum. Intel has worked with industry partners to ensure that OSes follow the guidelines documented in the Intel Software Developer manual. There is no known security vulnerability created by this erratum in bare metal OS environments.

VMM Developers

Intel has added a new bit in the IA32_ARCH_CAPABILITIES MSR to current and future generation CPUs to help VMMs and hypervisor software determine if the processor is vulnerable to the page size change MCE issue. Your system may need to apply the latest MCUs to correctly detect the vulnerability.

The page size change MCE issue can be mitigated by applying software algorithms to the VMM/hypervisor. Refer to Deep Dive: Machine Check Error Avoidance on Page Size Change for additional information and a list of affected processors.

References



Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Performance varies depending on system configuration. Check with your system manufacturer or retailer or learn more at www.intel.com.

All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps.

Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors.

Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. For more complete information visit www.intel.com/benchmarks.

Performance results are based on testing as of dates shown in configurations and may not reflect all publicly available​ updates.

The products and services described may contain defects or errors known as errata which may cause deviations from published specifications. Current characterized errata are available on request.

Intel provides these materials as-is, with no express or implied warranties.

No product or component can be absolutely secure.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.

*Other names and brands may be claimed as the property of others.

Copyright Intel Corporation 2020.