Bug 1789209 (CVE-2019-14615) - CVE-2019-14615 kernel: Intel graphics card information leak.
Summary: CVE-2019-14615 kernel: Intel graphics card information leak.
Keywords:
Status: NEW
Alias: CVE-2019-14615
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1790299 1790301 1790320 1791510 1790300 1793118 1793121
Blocks: 1789712 1790267
TreeView+ depends on / blocked
 
Reported: 2020-01-09 03:56 UTC by Wade Mealing
Modified: 2021-02-16 20:47 UTC (History)
45 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An information disclosure flaw was found in the Linux kernel. The i915 graphics driver lacks control of flow for data structures which may allow a local, authenticated user to disclose information when using ioctl commands with an attached i915 device. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Wade Mealing 2020-01-09 03:56:38 UTC 
A flaw was found in the kernels implementation of the i915 graphics driver where lack of control flow for data structures may allow a local authenticated user to disclose information when issuing ioctl commands to an attached i915 devices.


How it works:

1 - Userspace creates a batchbuffer
2 - Batchbuffer sent to kernel via ioctl
3 - ioctl (2) issues it as an "Execution Unit" for the hardware.
4 - The kernel schedules another process to run.
5-  Another process (running as user) can access the previous Execution Unit results by re-using Execution Units results.  

Affected hardware:

This flaw affects Gen7, 7.5 and Gen9 hardware only.  See [1] The Intel graphics developer guides for information on how to identify your hardware to find if it is affected.


Additional information:
[1] https://software.intel.com/en-us/articles/intel-graphics-developers-guides
[2] https://bwidawsk.net/blog/index.php/2013/08/i915-command-submission-via-gem_exec_nop/
Comment 1 Wade Mealing 2020-01-09 05:49:02 UTC 
Mitigation:

Preventing loading of the i915 kernel module will prevent attackers from using this exploit against the system; however, the power management functionality of the card will be disabled and the system may draw additional power. See the kcs “How do I blacklist a kernel module to prevent it from loading automatically?“  (https://access.redhat.com/solutions/41278) for instructions on how to disable a kernel module from autoloading. Graphical displays may also be at low resolution or not work correctly.

This mitigation may not be suitable if the graphical login functionality is required.
Comment 10 msiddiqu 2020-01-16 07:18:18 UTC 
Upstream Patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bc8a76a152c5f9ef3b48104154a65a68a8b76946
https://lists.freedesktop.org/archives/intel-gfx/2020-January/225945.html
Comment 11 Dave Airlie 2020-01-20 02:53:00 UTC 
The upstream patch mentioned only fixes Skylake and above.

The problem is also there on Ivybridge and Haswell, and the proposed upstream solutions are currently killing performance on those devices.
Comment 12 Prasad J Pandit 2020-01-20 17:43:55 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1793118]
Comment 15 Eric Christensen 2020-03-30 17:30:01 UTC 
Statement:

This issue affects the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 6, 7, 8 and Red Hat Enterprise MRG 2. Future kernel updates for Red Hat Enterprise Linux 6, 7, and 8 may address this issue.

This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates of Red Hat Enterprise MRG 2.
Note You need to log in before you can comment on or make changes to this bug.