1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
documentation_complete: true
title: 'Force kernel panic on uncorrected MCEs'
description: |-
A Machine Check Exception is an error generated by the CPU itdetects an error
in itself, memory or I/O devices.
These errors may be corrected and generate a check log entry, if an error
cannot be corrected the kernel may panic or SIGBUS.
To force the kernel to panic on any uncorrected error reported by Machine Check
set the MCE tolerance to zero by adding <tt>mce=0</tt>
to the default GRUB 2 command line for the Linux operating system.
{{{ describe_grub2_argument("mce=0") | indent(4) }}}
rationale: |-
Allowing uncorrected errors to result on a SIGBUS may allow an attacker to continue
trying to exploit a vulnerability such as Rowhammer.
severity: medium
identifiers:
cce@rhel8: CCE-87098-0
cce@rhel9: CCE-88098-9
cce@rhel10: CCE-87067-5
ocil_clause: 'MCE tolerance is not set to zero'
ocil: |-
{{{ ocil_grub2_argument("mce=0") | indent(4) }}}
template:
name: grub2_bootloader_argument
vars:
arg_name: mce
arg_value: '0'
|
