Bug 1930246 (CVE-2020-12362)

Summary: CVE-2020-12362 kernel: Integer overflow in Intel(R) Graphics Drivers
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, blc, bmasney, brdeoliv, bskeggs, chwhite, dhoward, dvlasenk, dwmw2, fhrbata, hdegoede, hkrzesin, jarodwilson, jeremy, jforbes, jglisse, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, laura, lgoncalv, linville, masami256, mchehab, mlangsdo, nmurray, pbrobinson, pmatouse, ptalbert, qzhao, rvrbovsk, security-response-team, steved, walters, williams, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. An integer overflow in the firmware for some Intel(R) Graphics Drivers may allow a privileged user to potentially enable an escalation of privilege via local access. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 20:38:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1930247, 1934410, 1934417, 1934418, 1935271, 1935272, 1935273, 1935274, 1935275, 1935276, 1935277, 1935278, 1935279, 1935280, 1935281, 1935282, 1935283, 1935284, 1935285, 1935286, 1935287, 1935288, 1935289, 1935290, 1935291, 1935292, 1935293, 1935294, 1935295, 1935296, 1935298    
Bug Blocks: 1930256    
Attachments:
Description Flags
disable the fw loading on i915 option.
none
alternate patch to just print a dmesg warning if enable_guc is used on older kernels. none

Description Pedro Sampaio 2021-02-18 15:05:19 UTC
Integer overflow in the firmware for some Intel(R) Graphics Drivers for Windows * before version 26.20.100.7212 and before Linux kernel version 5.5 may allow a privileged user to potentially enable an escalation of privilege via local access.

References:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00438.html

Comment 1 Pedro Sampaio 2021-02-18 15:06:31 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1930247]

Comment 3 Justin M. Forbes 2021-02-18 22:55:21 UTC
This was fixed for Fedora with the 5.5 stable kernel updates.

Comment 6 Petr Matousek 2021-03-03 08:28:23 UTC
Created linux-firmware tracking bugs for this issue:

Affects: fedora-all [bug 1934418]

Comment 9 Petr Matousek 2021-03-04 14:57:28 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 12 Dave Airlie 2021-04-19 04:06:39 UTC
Created attachment 1773173 [details]
disable the fw loading on i915 option.

Comment 13 Dave Airlie 2021-04-19 04:23:06 UTC
By default out of the box we are not affected by this bug. We don't enable GUC fw loading/submission on any platforms by default yet AFAICS.

The only way to enable GuC fw loading is to pass i915.enable_guc on the command line. So by default there is no need to mitigate this. Only users that specify i915.enable_guc=-1 or i915.enable_guc=1 or 2 are open to be exploited by this.

I think we can fix this for the newer kernels fine, but I'm not sure it's worth fixing it for too many of the older ones. The patch I've attached just completely blocks passing the enable_guc command line parameter and prints a warning if it is.

Comment 16 Petr Matousek 2021-04-20 09:30:04 UTC
Statement:

Only users that specify i915.enable_guc=-1 or i915.enable_guc=1 or 2 are open to be exploited by this issue.

To fix this issue a combination of linux-firmware and kernel update is required to be installed on the system.

Comment 18 Dave Airlie 2021-04-22 01:09:06 UTC
Created attachment 1774212 [details]
alternate patch to just print a dmesg warning if enable_guc is used on older kernels.

Comment 20 errata-xmlrpc 2021-05-18 13:21:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1578 https://access.redhat.com/errata/RHSA-2021:1578

Comment 21 errata-xmlrpc 2021-05-18 13:45:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1620 https://access.redhat.com/errata/RHSA-2021:1620

Comment 22 errata-xmlrpc 2021-05-18 14:41:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1739 https://access.redhat.com/errata/RHSA-2021:1739

Comment 23 Product Security DevOps Team 2021-05-18 20:38:32 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12362

Comment 24 errata-xmlrpc 2021-05-25 15:54:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:2106 https://access.redhat.com/errata/RHSA-2021:2106

Comment 25 errata-xmlrpc 2021-06-01 08:45:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2021:2164 https://access.redhat.com/errata/RHSA-2021:2164

Comment 26 errata-xmlrpc 2021-06-01 16:04:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2190 https://access.redhat.com/errata/RHSA-2021:2190

Comment 27 errata-xmlrpc 2021-06-02 00:46:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2185 https://access.redhat.com/errata/RHSA-2021:2185

Comment 28 errata-xmlrpc 2021-06-08 14:43:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2021:2293 https://access.redhat.com/errata/RHSA-2021:2293

Comment 29 errata-xmlrpc 2021-06-08 22:31:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2314 https://access.redhat.com/errata/RHSA-2021:2314

Comment 30 errata-xmlrpc 2021-06-08 22:32:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2316 https://access.redhat.com/errata/RHSA-2021:2316

Comment 31 errata-xmlrpc 2021-06-09 09:27:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2021:2355 https://access.redhat.com/errata/RHSA-2021:2355

Comment 33 errata-xmlrpc 2021-06-22 17:36:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:2523 https://access.redhat.com/errata/RHSA-2021:2523

Comment 39 errata-xmlrpc 2021-07-20 20:54:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2021:2735 https://access.redhat.com/errata/RHSA-2021:2735