Headline
CVE-2020-8832: Bug #1862840 “[Bionic] i915 incomplete fix for CVE-2019-14615” : Bugs : linux package : Ubuntu
The fix for the Linux kernel in Ubuntu 18.04 LTS for CVE-2019-14615 (“The Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors.”) was discovered to be incomplete, meaning that in versions of the kernel before 4.15.0-91.92, an attacker could use this vulnerability to expose sensitive information.
[Impact]
Gregory Herrero reported that the proof-of-concept for CVE-2019-14615 indicates that the information leak is not fixed in the Bionic 4.15 kernel as indicated by USN-4255-1:
https://usn.ubuntu.com/4255-1/
This only affects Ubuntu’s 4.15 kernel series. Xenial (4.4), Disco (5.0), Eoan (5.3), and Focal (5.4) are not affected by this incomplete fix issue.
I’ve verified this by testing each Ubuntu release with the proof-of-concept. I then tested vanilla 4.15 with commit bc8a76a152c5 (“drm/i915/gen9: Clear residual context state on context switch”) applied, which is the fix for CVE-2019-14615, and verified that the proof-of-concept showed that the info leak was still possible. I then tested vanilla 4.16 with commit bc8a76a152c5 applied to verify that the proof-of-concept showed that the info leak was fixed.
After bisecting changes to the DRM subsystem as well as the i915 driver, it looks like commit d2b4b97933f5 (“drm/i915: Record the default hw state after reset upon load”) as well as its prerequisites are necessary to fully fix CVE-2019-14615 in 4.15 based kernels.
[Test Case]
A proof-of-concept for CVE-2019-14615 became available once the issue was made public. It can be found here:
https://github.com/HE-Wenjian/iGPU-Leak
Steps to use the proof-of-concept:
$ git clone https://github.com/HE-Wenjian/iGPU-Leak.git
In one terminal
$ cd iGPU-Leak/demo/SLM_Leak/
$ ./run_victim.sh
In another terminal
$ cd iGPU-Leak/demo/SLM_Leak/
$ ./run_attacker.sh
In the terminal running run_attacker.sh, ensure that all data dumped
to the terminal is zeros and that there is no non-zero data. You’ll
have to closely monitor the script for a minute or so to ensure that
the information leak is not possible.
[Regression Potential]
High as the changes are complex in comparison to the typical SRU. However, the bulk of the change is to the initialization stages of the driver and we’re just pulling back changes that landed in 4.16-rc1 to our 4.15 kernel. I don’t see any later Fixes tags that reference the needed commits.
Related news
Dell EMC Metro node, Version(s) prior to 7.1, contain a Code Injection Vulnerability. An authenticated nonprivileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application.
An update for kernel is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2019-14615: kernel: Intel graphics card information leak. * CVE-2020-0427: kernel: out-of-bounds reads in pinctrl subsystem. * CVE-2020-24502: kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers * CVE-2020-24503: kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers * CVE-2020-24504: kernel: Uncontroll...
An update for kernel-rt is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2019-14615: kernel: Intel graphics card information leak. * CVE-2020-0427: kernel: out-of-bounds reads in pinctrl subsystem. * CVE-2020-24502: kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers * CVE-2020-24503: kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers * CVE-2020-24504: kernel: Uncontr...
A buffer overflow was addressed with improved bounds checking. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Multiple issues in libxml2.