CVE-2018-1087

Published: 08 May 2018

kernel KVM before versions kernel 4.16, kernel 4.16-rc7, kernel 4.17-rc1, kernel 4.17-rc2 and kernel 4.17-rc3 is vulnerable to a flaw in the way the Linux kernel's KVM hypervisor handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged KVM guest user could use this flaw to crash the guest or, potentially, escalate their privileges in the guest.

From the Ubuntu security team

Andy Lutomirski discovered that the KVM subsystem of the Linux kernel did not properly emulate the ICEBP instruction following a MOV/POP to SS instruction. A local attacker in a KVM virtual machine could use this to cause a denial of service (guest VM crash) or possibly escalate privileges inside of the virtual machine. This issue only affected the i386 and amd64 architectures.

Priority

High

CVSS 3 base score: 7.8

Status

Package Release Status
linux
Launchpad, Ubuntu, Debian
Upstream
Released (4.16~rc7)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(landed pre-release in 4.15.0-15.16)
Patches:
Introduced by 42dbaa5a057736bf8b5c22aa42dbe975bf1080e5
Fixed by 32d43cd391bacb5f0814c2624399a5dad3501d09
linux-aws
Launchpad, Ubuntu, Debian
Upstream
Released (4.16~rc7)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(4.15.0-1003.3)
linux-azure
Launchpad, Ubuntu, Debian
Upstream
Released (4.16~rc7)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(4.15.0-1004.4)
linux-euclid
Launchpad, Ubuntu, Debian
Upstream
Released (4.16~rc7)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-flo
Launchpad, Ubuntu, Debian
Upstream
Released (4.16~rc7)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-gcp
Launchpad, Ubuntu, Debian
Upstream
Released (4.16~rc7)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(4.15.0-1003.3)
linux-gke
Launchpad, Ubuntu, Debian
Upstream
Released (4.16~rc7)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-goldfish
Launchpad, Ubuntu, Debian
Upstream
Released (4.16~rc7)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-grouper
Launchpad, Ubuntu, Debian
Upstream
Released (4.16~rc7)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-hwe
Launchpad, Ubuntu, Debian
Upstream
Released (4.16~rc7)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable

linux-hwe-edge
Launchpad, Ubuntu, Debian
Upstream
Released (4.16~rc7)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.18.0-8.9~18.04.1)
linux-kvm
Launchpad, Ubuntu, Debian
Upstream
Released (4.16~rc7)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(4.15.0-1004.4)
linux-lts-trusty
Launchpad, Ubuntu, Debian
Upstream
Released (4.16~rc7)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-lts-utopic
Launchpad, Ubuntu, Debian
Upstream
Released (4.16~rc7)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-lts-vivid
Launchpad, Ubuntu, Debian
Upstream
Released (4.16~rc7)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-lts-wily
Launchpad, Ubuntu, Debian
Upstream
Released (4.16~rc7)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-lts-xenial
Launchpad, Ubuntu, Debian
Upstream
Released (4.16~rc7)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-maguro
Launchpad, Ubuntu, Debian
Upstream
Released (4.16~rc7)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-mako
Launchpad, Ubuntu, Debian
Upstream
Released (4.16~rc7)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-manta
Launchpad, Ubuntu, Debian
Upstream
Released (4.16~rc7)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-oem
Launchpad, Ubuntu, Debian
Upstream
Released (4.16~rc7)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(4.15.0-1002.3)
linux-raspi2
Launchpad, Ubuntu, Debian
Upstream
Released (4.16~rc7)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(x86 only)
linux-snapdragon
Launchpad, Ubuntu, Debian
Upstream
Released (4.16~rc7)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable