CWE-703: Improper Check or Handling of Exceptional Conditions - CVE-2018-8897

The MOV SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV SS or POP SS instruction itself). Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol 3A; section 2.3).

If the instruction following the MOV SS or POP SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at Current Privilege Level (CPL) < 3, a debug exception is delivered after the transfer to CPL < 3 is complete. Such deferred #DB exceptions by MOV SS and POP SS may result in unexpected behavior.

Therefore, in certain circumstances after the use of certain Intel x86-64 architecture instructions, a debug exception pointing to data in a lower ring (for most operating systems, the kernel Ring 0 level) is made available to operating system components running in Ring 3. This may allow an attacker to utilize operating system APIs to gain access to sensitive memory information or control low-level operating system functions.

Several operating systems appear to incorrectly handle this exception due to interpretation of potentially unclear existing documentation and guidance on the use of these instructions.

More details can be found in the researcher's paper.

An authenticated attacker may be able to read sensitive data in memory or control low-level operating system functions,

Apply an update

Check with your operating system or software vendor for updates to address this issue. There is no expected performance impact for applying an update. A list of affected vendors and currently-known updates is provided below.