Bug 1789209 (CVE-2019-14615)

Summary: CVE-2019-14615 kernel: Intel graphics card information leak.
Product: [Other] Security Response Reporter: Wade Mealing <wmealing>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mcressma, mjg59, mlangsdo, nmurray, ppandit, qzhao, rt-maint, rvrbovsk, security-response-team, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An information disclosure flaw was found in the Linux kernel. The i915 graphics driver lacks control of flow for data structures which may allow a local, authenticated user to disclose information when using ioctl commands with an attached i915 device. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-22 04:16:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1790299, 1790300, 1790301, 1790320, 1791510, 1793118, 1793121, 1952322, 1973748    
Bug Blocks: 1789712, 1790267    

Description Wade Mealing 2020-01-09 03:56:38 UTC 
A flaw was found in the kernels implementation of the i915 graphics driver where lack of control flow for data structures may allow a local authenticated user to disclose information when issuing ioctl commands to an attached i915 devices.


How it works:

1 - Userspace creates a batchbuffer
2 - Batchbuffer sent to kernel via ioctl
3 - ioctl (2) issues it as an "Execution Unit" for the hardware.
4 - The kernel schedules another process to run.
5-  Another process (running as user) can access the previous Execution Unit results by re-using Execution Units results.  

Affected hardware:

This flaw affects Gen7, 7.5 and Gen9 hardware only.  See [1] The Intel graphics developer guides for information on how to identify your hardware to find if it is affected.


Additional information:
[1] https://software.intel.com/en-us/articles/intel-graphics-developers-guides
[2] https://bwidawsk.net/blog/index.php/2013/08/i915-command-submission-via-gem_exec_nop/
Comment 1 Wade Mealing 2020-01-09 05:49:02 UTC 
Mitigation:

Preventing loading of the i915 kernel module will prevent attackers from using this exploit against the system; however, the power management functionality of the card will be disabled and the system may draw additional power. See the kcs “How do I blacklist a kernel module to prevent it from loading automatically?“  (https://access.redhat.com/solutions/41278) for instructions on how to disable a kernel module from autoloading. Graphical displays may also be at low resolution or not work correctly.

This mitigation may not be suitable if the graphical login functionality is required.
Comment 10 msiddiqu 2020-01-16 07:18:18 UTC 
Upstream Patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bc8a76a152c5f9ef3b48104154a65a68a8b76946
https://lists.freedesktop.org/archives/intel-gfx/2020-January/225945.html
Comment 11 Dave Airlie 2020-01-20 02:53:00 UTC 
The upstream patch mentioned only fixes Skylake and above.

The problem is also there on Ivybridge and Haswell, and the proposed upstream solutions are currently killing performance on those devices.
Comment 12 Prasad Pandit 2020-01-20 17:43:55 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1793118]
Comment 15 Eric Christensen 2020-03-30 17:30:01 UTC 
Statement:

This issue affects the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 6, 7, 8 and Red Hat Enterprise MRG 2. Future kernel updates for Red Hat Enterprise Linux 6, 7, and 8 may address this issue.

This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates of Red Hat Enterprise MRG 2.
Comment 17 Dave Airlie 2021-04-22 04:08:54 UTC 
We have fixed this in all the Gen 9 Intel hardware. 

The upstream patches for Gen7 are quite intrusive and have had a number of follow on fixes in progress. I'm not comfortable shipping those in a Z stream update just to fix this for Gen 7 Intel hardware. These fixes will eventually be pulled in via our normal Y stream rebase process. (likely for 8.5).

As such I'm closing this bug as I don't see us proceeding with the gen7 fixes at this stage outside of 8.Y stream.

I've opened another bug for internal tracking of the Y stream backport.
Comment 18 Wade Mealing 2021-04-22 04:16:22 UTC 
Ok, I think we can close this up.