Bug 2147572 (CVE-2022-4139) - CVE-2022-4139 kernel: i915: Incorrect GPU TLB flush can lead to random memory access
Summary: CVE-2022-4139 kernel: i915: Incorrect GPU TLB flush can lead to random memory...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-4139
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2147583 2147584 2147585 2147586 2147587 2147588 2147589 2147590 2147591 2148140 2148141 2148142 2148143 2148144 2148145 2148146 2148147 2148148 2148149 2148150 2148151 2148152 2148153 2148157 2148158 2148159 2148160 2148161 2148162 2148163 2148164 2148165 2148166 2148920 2149657
Blocks: 2147540 2148387
TreeView+ depends on / blocked
 
Reported: 2022-11-24 10:26 UTC by Mauro Matteo Cascella
Modified: 2023-09-19 04:30 UTC (History)
45 users (show)

Fixed In Version: kernel 6.1-rc7
Doc Type: If docs needed, set a value
Doc Text:
An incorrect TLB flush issue was found in the Linux kernel’s GPU i915 kernel driver, potentially leading to random memory corruption or data leaks. This flaw could allow a local user to crash the system or escalate their privileges on the system.
Clone Of:
Environment:
Last Closed: 2023-05-16 21:45:37 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:0131 0 None None None 2023-01-12 12:54:58 UTC
Red Hat Product Errata RHBA-2023:0157 0 None None None 2023-01-12 14:26:15 UTC
Red Hat Product Errata RHBA-2023:0176 0 None None None 2023-01-16 11:53:39 UTC
Red Hat Product Errata RHBA-2023:0177 0 None None None 2023-01-16 11:55:56 UTC
Red Hat Product Errata RHBA-2023:0178 0 None None None 2023-01-16 12:14:11 UTC
Red Hat Product Errata RHBA-2023:0188 0 None None None 2023-01-17 11:06:46 UTC
Red Hat Product Errata RHBA-2023:0267 0 None None None 2023-01-19 09:54:02 UTC
Red Hat Product Errata RHSA-2023:0101 0 None None None 2023-01-12 09:19:22 UTC
Red Hat Product Errata RHSA-2023:0114 0 None None None 2023-01-12 09:22:56 UTC
Red Hat Product Errata RHSA-2023:0123 0 None None None 2023-01-12 09:26:13 UTC
Red Hat Product Errata RHSA-2023:0300 0 None None None 2023-01-23 15:17:11 UTC
Red Hat Product Errata RHSA-2023:0334 0 None None None 2023-01-23 15:21:42 UTC
Red Hat Product Errata RHSA-2023:0348 0 None None None 2023-01-23 15:23:21 UTC
Red Hat Product Errata RHSA-2023:0440 0 None None None 2023-01-24 14:40:41 UTC
Red Hat Product Errata RHSA-2023:0441 0 None None None 2023-01-24 14:17:16 UTC
Red Hat Product Errata RHSA-2023:0496 0 None None None 2023-01-30 14:37:16 UTC
Red Hat Product Errata RHSA-2023:0499 0 None None None 2023-01-30 14:31:43 UTC
Red Hat Product Errata RHSA-2023:0512 0 None None None 2023-01-30 14:42:50 UTC
Red Hat Product Errata RHSA-2023:0526 0 None None None 2023-01-30 14:41:20 UTC
Red Hat Product Errata RHSA-2023:0531 0 None None None 2023-01-30 15:27:57 UTC
Red Hat Product Errata RHSA-2023:0536 0 None None None 2023-01-30 15:08:28 UTC
Red Hat Product Errata RHSA-2023:0859 0 None None None 2023-02-21 10:40:33 UTC

Description Mauro Matteo Cascella 2022-11-24 10:26:40 UTC 
Incorrect GPU TLB flush code has been discovered in i915 kernel driver. In some cases (Gen12 hardware with specific types of engine) the engine's TLB is not flushed at all. Depending on whether the GPU is running behind an active IOMMU there are two possible scenarios which can happen, due to stale TLB mapping:

1. Without IOMMU - GPU can still access physical memory which could be already assigned by OS to different process.
2. With IOMMU - GPU can access any memory, if the malicious process is able to create/reuse necessary IOMMU mappings.

It is currently not known if specific memory could be targeted, but random memory corruption or data leaks are a known possibility. All Intel integrated and discrete GPUs Gen12 are affected, including Tiger Lake, Rocket Lake, Alder Lake, DG1, Raptor Lake, DG2, Arctic Sound, Meteor Lake.

This vulnerability has similar impact as CVE-2022-0330: https://access.redhat.com/security/cve/CVE-2022-0330.

Reference:
https://www.openwall.com/lists/oss-security/2022/11/30/1
Comment 10 Mauro Matteo Cascella 2022-11-30 14:16:44 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2149657]
Comment 11 Mauro Matteo Cascella 2022-12-01 13:02:42 UTC 
Upstream fix:
https://github.com/torvalds/linux/commit/04aa64375f48a5d430b5550d9271f8428883e550
Comment 12 Dave Airlie 2022-12-02 02:14:02 UTC 
For RHEL 7: it doesn't support Gen12 at all. so I'll close all those.
Comment 13 Dave Airlie 2022-12-02 02:29:44 UTC 
I've closed all the kernel streams that this doesn't affect. It's RHEL 8.3 and forward, and RHEL 9.0 and forward.
Comment 19 errata-xmlrpc 2023-01-12 09:19:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0101 https://access.redhat.com/errata/RHSA-2023:0101
Comment 20 errata-xmlrpc 2023-01-12 09:22:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0114 https://access.redhat.com/errata/RHSA-2023:0114
Comment 21 errata-xmlrpc 2023-01-12 09:26:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0123 https://access.redhat.com/errata/RHSA-2023:0123
Comment 22 errata-xmlrpc 2023-01-23 15:17:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0300 https://access.redhat.com/errata/RHSA-2023:0300
Comment 23 errata-xmlrpc 2023-01-23 15:21:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0334 https://access.redhat.com/errata/RHSA-2023:0334
Comment 24 errata-xmlrpc 2023-01-23 15:23:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0348 https://access.redhat.com/errata/RHSA-2023:0348
Comment 25 errata-xmlrpc 2023-01-24 14:17:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:0441 https://access.redhat.com/errata/RHSA-2023:0441
Comment 26 errata-xmlrpc 2023-01-24 14:40:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:0440 https://access.redhat.com/errata/RHSA-2023:0440
Comment 27 errata-xmlrpc 2023-01-30 14:31:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:0499 https://access.redhat.com/errata/RHSA-2023:0499
Comment 28 errata-xmlrpc 2023-01-30 14:37:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:0496 https://access.redhat.com/errata/RHSA-2023:0496
Comment 29 errata-xmlrpc 2023-01-30 14:41:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:0526 https://access.redhat.com/errata/RHSA-2023:0526
Comment 30 errata-xmlrpc 2023-01-30 14:42:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:0512 https://access.redhat.com/errata/RHSA-2023:0512
Comment 31 errata-xmlrpc 2023-01-30 15:08:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:0536 https://access.redhat.com/errata/RHSA-2023:0536
Comment 32 errata-xmlrpc 2023-01-30 15:27:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:0531 https://access.redhat.com/errata/RHSA-2023:0531
Comment 34 errata-xmlrpc 2023-02-21 10:40:29 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2023:0859 https://access.redhat.com/errata/RHSA-2023:0859
Comment 38 Product Security DevOps Team 2023-05-16 21:45:33 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-4139
Comment 39 Red Hat Bugzilla 2023-09-19 04:30:29 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Note You need to log in before you can comment on or make changes to this bug.