Bug 1789209 (CVE-2019-14615) - CVE-2019-14615 kernel: Intel graphics card information leak.
Summary: CVE-2019-14615 kernel: Intel graphics card information leak.
Alias: CVE-2019-14615
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: Engineering1790299 Engineering1790300 Engineering1790301 Engineering1790320 Engineering1791510 1793118 Engineering1793121 Engineering1952322 Engineering1973748
Blocks: Embargoed1789712 Embargoed1790267
TreeView+ depends on / blocked
Reported: 2020-01-09 03:56 UTC by Wade Mealing
Modified: 2021-06-18 15:44 UTC (History)
44 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An information disclosure flaw was found in the Linux kernel. The i915 graphics driver lacks control of flow for data structures which may allow a local, authenticated user to disclose information when using ioctl commands with an attached i915 device. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Last Closed: 2021-04-22 04:16:22 UTC

Attachments (Terms of Use)

Description Wade Mealing 2020-01-09 03:56:38 UTC
A flaw was found in the kernels implementation of the i915 graphics driver where lack of control flow for data structures may allow a local authenticated user to disclose information when issuing ioctl commands to an attached i915 devices.

How it works:

1 - Userspace creates a batchbuffer
2 - Batchbuffer sent to kernel via ioctl
3 - ioctl (2) issues it as an "Execution Unit" for the hardware.
4 - The kernel schedules another process to run.
5-  Another process (running as user) can access the previous Execution Unit results by re-using Execution Units results.  

Affected hardware:

This flaw affects Gen7, 7.5 and Gen9 hardware only.  See [1] The Intel graphics developer guides for information on how to identify your hardware to find if it is affected.

Additional information:
[1] https://software.intel.com/en-us/articles/intel-graphics-developers-guides
[2] https://bwidawsk.net/blog/index.php/2013/08/i915-command-submission-via-gem_exec_nop/

Comment 1 Wade Mealing 2020-01-09 05:49:02 UTC

Preventing loading of the i915 kernel module will prevent attackers from using this exploit against the system; however, the power management functionality of the card will be disabled and the system may draw additional power. See the kcs “How do I blacklist a kernel module to prevent it from loading automatically?“  (https://access.redhat.com/solutions/41278) for instructions on how to disable a kernel module from autoloading. Graphical displays may also be at low resolution or not work correctly.

This mitigation may not be suitable if the graphical login functionality is required.

Comment 11 Dave Airlie 2020-01-20 02:53:00 UTC
The upstream patch mentioned only fixes Skylake and above.

The problem is also there on Ivybridge and Haswell, and the proposed upstream solutions are currently killing performance on those devices.

Comment 12 Prasad Pandit 2020-01-20 17:43:55 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1793118]

Comment 15 Eric Christensen 2020-03-30 17:30:01 UTC

This issue affects the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 6, 7, 8 and Red Hat Enterprise MRG 2. Future kernel updates for Red Hat Enterprise Linux 6, 7, and 8 may address this issue.

This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates of Red Hat Enterprise MRG 2.

Comment 17 Dave Airlie 2021-04-22 04:08:54 UTC
We have fixed this in all the Gen 9 Intel hardware. 

The upstream patches for Gen7 are quite intrusive and have had a number of follow on fixes in progress. I'm not comfortable shipping those in a Z stream update just to fix this for Gen 7 Intel hardware. These fixes will eventually be pulled in via our normal Y stream rebase process. (likely for 8.5).

As such I'm closing this bug as I don't see us proceeding with the gen7 fixes at this stage outside of 8.Y stream.

I've opened another bug for internal tracking of the Y stream backport.

Comment 18 Wade Mealing 2021-04-22 04:16:22 UTC
Ok, I think we can close this up.

Note You need to log in before you can comment on or make changes to this bug.