CLD-178 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-1000407 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) linux
Deficiency Type SECURITY
Date Created 2017-12-14 13:13:56
Date Last Modified 2017-12-14 15:30:12

Version Specific Information:

Cucumber 1.0 i686fixed in linux-4.9.69-i686-1
Cucumber 1.0 x86_64fixed in linux-4.9.69-x86_64-1

Cucumber 1.1 i686 fixed in linux-4.9.69-i686-1
Cucumber 1.1 x86_64 fixed in linux-4.9.69-x86_64-1

Details:

=================================== Overview ===================================

From https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000407:

The Linux Kernel 2.6.32 and later are affected by a denial of service, by
flooding the diagnostic port 0x80 an exception can be triggered leading to a
kernel panic.

================================ Initial Report ================================

From Kernel.org (https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.69):

KVM allows guests to directly access I/O port 0x80 on Intel hosts.  If the
guest floods this port with writes it generates exceptions and instability in
the host kernel, leading to a crash.  With this change guest writes to port
0x80 on Intel will behave the same as they currently behave on AMD systems.

Prevent the flooding by removing the code that sets port 0x80 as a passthrough
port.  This is essentially the same as upstream patch
99f85a28a78e96d28907fe036e1671a218fee597, except that patch was for AMD
chipsets and this patch is for Intel.

================================= Our Analysis =================================

----- Affected Products -----
Versions of the 4.9 Linux kernel series prior to 4.9.69 are vulnerable to this.

----- Scope and Impact of this Vulnerability -----
This vulnerability allows for a guest VM to cause a denial of service (kernel
panic).

----- Fix for this Vulnerability -----
This vulnerability can be fixed by upgrading to Linux 4.9.69 or applying the
commit d59d51f088014f25c2562de59b9abff4f42a7468.

================================= Our Solution =================================
We have upgraded to Linux 4.9.69.