Bug 2147572 (CVE-2022-4139)

Summary:	CVE-2022-4139 kernel: i915: Incorrect GPU TLB flush can lead to random memory access
Product:	[Other] Security Response	Reporter:	Mauro Matteo Cascella <mcascell>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	acaringi, airlied, arachman, bhu, chwhite, crwood, ddepaula, debarbos, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jpoimboe, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, kpatch-maint, lgoncalv, lleshchi, lveyde, lzampier, michal.skrivanek, mperina, nmurray, ptalbert, qzhao, rhandlin, rvrbovsk, sbalasub, sbonazzo, scweaver, security-response-team, tyberry, vkumar, walters, williams, ycote
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	kernel 6.1-rc7	Doc Type:	If docs needed, set a value
Doc Text:	An incorrect TLB flush issue was found in the Linux kernel’s GPU i915 kernel driver, potentially leading to random memory corruption or data leaks. This flaw could allow a local user to crash the system or escalate their privileges on the system.	Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-05-16 21:45:37 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2147583, 2147584, 2147585, 2147586, 2147587, 2147588, 2147589, 2147590, 2147591, 2148140, 2148141, 2148142, 2148143, 2148144, 2148145, 2148146, 2148147, 2148148, 2148149, 2148150, 2148151, 2148152, 2148153, 2148157, 2148158, 2148159, 2148160, 2148161, 2148162, 2148163, 2148164, 2148165, 2148166, 2148920, 2149657
Bug Blocks:	2147540, 2148387

Description Mauro Matteo Cascella 2022-11-24 10:26:40 UTC

Incorrect GPU TLB flush code has been discovered in i915 kernel driver. In some cases (Gen12 hardware with specific types of engine) the engine's TLB is not flushed at all. Depending on whether the GPU is running behind an active IOMMU there are two possible scenarios which can happen, due to stale TLB mapping:

1. Without IOMMU - GPU can still access physical memory which could be already assigned by OS to different process.
2. With IOMMU - GPU can access any memory, if the malicious process is able to create/reuse necessary IOMMU mappings.

It is currently not known if specific memory could be targeted, but random memory corruption or data leaks are a known possibility. All Intel integrated and discrete GPUs Gen12 are affected, including Tiger Lake, Rocket Lake, Alder Lake, DG1, Raptor Lake, DG2, Arctic Sound, Meteor Lake.

This vulnerability has similar impact as CVE-2022-0330: https://access.redhat.com/security/cve/CVE-2022-0330.

Reference:
https://www.openwall.com/lists/oss-security/2022/11/30/1

Comment 10 Mauro Matteo Cascella 2022-11-30 14:16:44 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2149657]

Comment 11 Mauro Matteo Cascella 2022-12-01 13:02:42 UTC

Upstream fix:
https://github.com/torvalds/linux/commit/04aa64375f48a5d430b5550d9271f8428883e550

Comment 12 Dave Airlie 2022-12-02 02:14:02 UTC

For RHEL 7: it doesn't support Gen12 at all. so I'll close all those.

Comment 13 Dave Airlie 2022-12-02 02:29:44 UTC

I've closed all the kernel streams that this doesn't affect. It's RHEL 8.3 and forward, and RHEL 9.0 and forward.

Comment 19 errata-xmlrpc 2023-01-12 09:19:18 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0101 https://access.redhat.com/errata/RHSA-2023:0101

Comment 20 errata-xmlrpc 2023-01-12 09:22:52 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0114 https://access.redhat.com/errata/RHSA-2023:0114

Comment 21 errata-xmlrpc 2023-01-12 09:26:08 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0123 https://access.redhat.com/errata/RHSA-2023:0123

Comment 22 errata-xmlrpc 2023-01-23 15:17:06 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0300 https://access.redhat.com/errata/RHSA-2023:0300

Comment 23 errata-xmlrpc 2023-01-23 15:21:37 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0334 https://access.redhat.com/errata/RHSA-2023:0334

Comment 24 errata-xmlrpc 2023-01-23 15:23:17 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0348 https://access.redhat.com/errata/RHSA-2023:0348

Comment 25 errata-xmlrpc 2023-01-24 14:17:12 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:0441 https://access.redhat.com/errata/RHSA-2023:0441

Comment 26 errata-xmlrpc 2023-01-24 14:40:37 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:0440 https://access.redhat.com/errata/RHSA-2023:0440

Comment 27 errata-xmlrpc 2023-01-30 14:31:39 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:0499 https://access.redhat.com/errata/RHSA-2023:0499

Comment 28 errata-xmlrpc 2023-01-30 14:37:13 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:0496 https://access.redhat.com/errata/RHSA-2023:0496

Comment 29 errata-xmlrpc 2023-01-30 14:41:17 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:0526 https://access.redhat.com/errata/RHSA-2023:0526

Comment 30 errata-xmlrpc 2023-01-30 14:42:47 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:0512 https://access.redhat.com/errata/RHSA-2023:0512

Comment 31 errata-xmlrpc 2023-01-30 15:08:24 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:0536 https://access.redhat.com/errata/RHSA-2023:0536

Comment 32 errata-xmlrpc 2023-01-30 15:27:54 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:0531 https://access.redhat.com/errata/RHSA-2023:0531

Comment 34 errata-xmlrpc 2023-02-21 10:40:29 UTC

This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2023:0859 https://access.redhat.com/errata/RHSA-2023:0859

Comment 38 Product Security DevOps Team 2023-05-16 21:45:33 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-4139

Comment 39 Red Hat Bugzilla 2023-09-19 04:30:29 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days