search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Hardware debug exception documentation may result in unexpected behavior

Vulnerability Note VU#631579

Original Release Date: 2018-05-08 | Last Revised: 2019-07-11

Overview

In some circumstances, some operating systems or hypervisors may not expect or properly handle an Intel architecture hardware debug exception. The error appears to be due to developer interpretation of existing documentation for certain Intel architecture interrupt/exception instructions, namely MOV SS and POP SS.

Description

CWE-703: Improper Check or Handling of Exceptional Conditions - CVE-2018-8897

The MOV SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV SS or POP SS instruction itself). Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol 3A; section 2.3).

If the instruction following the MOV SS or POP SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at Current Privilege Level (CPL) < 3, a debug exception is delivered after the transfer to CPL < 3 is complete. Such deferred #DB exceptions by MOV SS and POP SS may result in unexpected behavior.

Therefore, in certain circumstances after the use of certain Intel x86-64 architecture instructions, a debug exception pointing to data in a lower ring (for most operating systems, the kernel Ring 0 level) is made available to operating system components running in Ring 3. This may allow an attacker to utilize operating system APIs to gain access to sensitive memory information or control low-level operating system functions.

Several operating systems appear to incorrectly handle this exception due to interpretation of potentially unclear existing documentation and guidance on the use of these instructions.

More details can be found in the researcher's paper.

Impact

An authenticated attacker may be able to read sensitive data in memory or control low-level operating system functions,

Solution

Apply an update

Check with your operating system or software vendor for updates to address this issue. There is no expected performance impact for applying an update. A list of affected vendors and currently-known updates is provided below.

Vendor Information

631579
 
Expand all

View all 124 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal 5.3 E:POC/RL:OF/RC:C
Environmental 5.3 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Microsoft and Intel credit Nick Peterson of Everdox Tech, LLC, for responsibly reporting this vulnerability and working with the group on coordinated disclosure. Andy Lutomirski is also credited for assistance in documenting the vulnerability for Linux.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2018-8897
Date Public: 2018-05-08
Date First Published: 2018-05-08
Date Last Updated: 2019-07-11 16:31 UTC
Document Revision: 107

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis