BSDSec

deadsimple BSD Security Advisories and Announcements

FreeBSD Errata Notice FreeBSD-EN-18:17.vm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-18:17.vm                                             Errata Notice
                                                          The FreeBSD Project

Topic:          Kernel panic under load on Intel "Skylake" CPUs

Category:       core
Module:         kernel
Announced:      2018-12-19
Credits:        Mark Johnston
Affects:        FreeBSD 11.2
Corrected:      2018-12-02 18:08:27 UTC (stable/11, 11.2-STABLE)
                2018-19-19 18:00:58 UTC (releng/11.2, 11.2-RELEASE-p7)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I.   Background

The physical page allocator is a component of the kernel responsible for
tracking usage of the system's RAM by the kernel and by userland
applications.  It maintains lists of unused memory pages which may be
returned by the allocator upon demand.  It also maintains an integer
count of the number of pages stored in these lists.

II.  Problem Description

The kernel contains handling for an Intel erratum affecting Skylake-X
CPUs.  The erratum description states that a processor may hang when
performing a certain synchronization operation within a particular 4MB
region of physical memory.  FreeBSD works around the erratum by using
a blacklisting mechanism to ensure that the physical page allocator
never returns pages in that region.  However, this blacklisting
mechanism contained a bug such that the removal of pages in the region
was not reflected in the free page count.

III. Impact

The discrepancy between the free page count and the physical page
allocator's state can trigger a NULL pointer dereference when the
system is under heavy load, resulting in a panic.

IV.  Workaround

Only systems using a Skylake-X or Skylake Server CPU are affected.

Affected systems can work around the problem by setting the
"hw.skz63_enable" to 0 in /boot/loader.conf, causing the handling for
the Intel erratum to be disabled upon a reboot of the system.  However,
this raises the possibility of being affected by the erratum if software
running on the system makes use of Intel TSX.

V.   Solution

Perform one of the following:

1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date and reboot the system.

2) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
Reboot the system

3) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 11.2]
# fetch https://security.FreeBSD.org/patches/EN-18:17/vm.patch
# fetch https://security.FreeBSD.org/patches/EN-18:17/vm.patch.asc
# gpg --verify vm.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/11/                                                        r341401
releng/11.2/                                                      r342225
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231296>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:17.vm.asc>
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwannZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKsAxAAkr/ufB1aKSSib0n/e6PXE1FOnjUGgpK+LiiSG+QdW/6oMv/yto+4Qbj2
3Ht3TPyuoTqwQmHHiSzpnnnRHGDrdffiRYQsziFR89c8iyw7Qni8BYlK2YLYYw9i
TVyT6sxkorpTPZpGQZNaRBwZoWCLaxBvfKC0wVcli9gByOfb5T5J4puUNT4EXIpb
eaimCWG24vsIkWlHeC/8ulHsjEEDBatyfWWl95i8JVMqBDdHZypryJkO0jBo5Uig
PIighKIqDiEwwvjtHfGh4iAn3mFINDbMDdjXyMWYqDbgvX3J6cCv6qaY7p2eizQN
taN1rbC+7MJIFEkTFASvbJq7KOc/PcXOLU4O3964HZbbowdQNwAxQAuMGN6GNLmJ
ydHE7Atei1Py8q3gg9uMpX0TVikzfOL6iBmdzEkg2mgXIeyISLn5BTuE/k9hkVwi
6Boeec1qshtx04gF0xzsp/KPropad4nV09/E4cuo5jHuaq3WgpnDVzVhGEmFZpY7
Z5B8vHqSc7Ng0xZoQYIcYbGCVBaWNF4WCf/1DZhU44mXkob+CRkv+kROFkfn8lY3
2Jzjp7LWqPv9CFxIJ7q4BnDTyhxkQksm646tII1JNMcjY0hzFjQDUrVmDRb8ak/E
LsJNDKicqGdCdrHeA8jZm7RxwAmdkhyF/uumPYxJg64Y9DU23SM=
=QgI2
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"