[Bionic] i915 incomplete fix for CVE-2019-14615

Bug #1862840 reported by Tyler Hicks on 2020-02-11
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Tyler Hicks
Bionic
High
Tyler Hicks

Bug Description

[Impact]

Gregory Herrero reported that the proof-of-concept for CVE-2019-14615 indicates that the information leak is not fixed in the Bionic 4.15 kernel as indicated by USN-4255-1:

 https://usn.ubuntu.com/4255-1/

This only affects Ubuntu's 4.15 kernel series. Xenial (4.4), Disco (5.0), Eoan (5.3), and Focal (5.4) are not affected by this incomplete fix issue.

I've verified this by testing each Ubuntu release with the proof-of-concept. I then tested vanilla 4.15 with commit bc8a76a152c5 ("drm/i915/gen9: Clear residual context state on context switch") applied, which is the fix for CVE-2019-14615, and verified that the proof-of-concept showed that the info leak was still possible. I then tested vanilla 4.16 with commit bc8a76a152c5 applied to verify that the proof-of-concept showed that the info leak was fixed.

After bisecting changes to the DRM subsystem as well as the i915 driver, it looks like commit d2b4b97933f5 ("drm/i915: Record the default hw state after reset upon load") as well as its prerequisites are necessary to fully fix CVE-2019-14615 in 4.15 based kernels.

[Test Case]

A proof-of-concept for CVE-2019-14615 became available once the issue was made public. It can be found here:

 https://github.com/HE-Wenjian/iGPU-Leak

Steps to use the proof-of-concept:

 $ git clone https://github.com/HE-Wenjian/iGPU-Leak.git

 # In one terminal
 $ cd iGPU-Leak/demo/SLM_Leak/
 $ ./run_victim.sh

 # In another terminal
 $ cd iGPU-Leak/demo/SLM_Leak/
 $ ./run_attacker.sh

 # In the terminal running run_attacker.sh, ensure that all data dumped
 # to the terminal is zeros and that there is no non-zero data. You'll
 # have to closely monitor the script for a minute or so to ensure that
 # the information leak is not possible.

[Regression Potential]

High as the changes are complex in comparison to the typical SRU. However, the bulk of the change is to the initialization stages of the driver and we're just pulling back changes that landed in 4.16-rc1 to our 4.15 kernel. I don't see any later Fixes tags that reference the needed commits.

CVE References

Tyler Hicks (tyhicks) on 2020-02-11
Changed in linux (Ubuntu Bionic):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Tyler Hicks (tyhicks)
Changed in linux (Ubuntu):
status: In Progress → Invalid
description: updated
Tyler Hicks (tyhicks) on 2020-02-11
description: updated
Seth Arnold (seth-arnold) wrote :

Please use CVE-2020-8832 for this issue. Thanks.

Tyler Hicks (tyhicks) wrote :

I've pushed a set of proposed backports which prevents the information leak when running the proof-of-concept code:

 https://git.launchpad.net/~tyhicks/ubuntu/+source/linux/+git/bionic/log/?h=cves/CVE-2020-8832

Tyler Hicks (tyhicks) on 2020-02-13
description: updated
Tyler Hicks (tyhicks) wrote :
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Tyler Hicks (tyhicks) wrote :

I've verified that the proof-of-concept does not show an information leak when running 4.15.0-89.89-generic.

tags: added: verification-done-bionic
removed: verification-needed-bionic
Launchpad Janitor (janitor) wrote :
Download full text (44.4 KiB)

This bug was fixed in the package linux - 4.15.0-91.92

---------------
linux (4.15.0-91.92) bionic; urgency=medium

  * bionic/linux: 4.15.0-91.92 -proposed tracker (LP: #1865109)

  * CVE-2020-2732
    - KVM: x86: emulate RDPID
    - KVM: nVMX: Don't emulate instructions in guest mode
    - KVM: nVMX: Refactor IO bitmap checks into helper function
    - KVM: nVMX: Check IO instruction VM-exit conditions

linux (4.15.0-90.91) bionic; urgency=medium

  * bionic/linux: 4.15.0-90.91 -proposed tracker (LP: #1864753)

  * dkms artifacts may expire from the pool (LP: #1850958)
    - [Packaging] autoreconstruct -- manage executable debian files
    - [packaging] handle downloads from the librarian better

linux (4.15.0-90.90) bionic; urgency=medium

  * bionic/linux: 4.15.0-90.90 -proposed tracker (LP: #1864753)

  * vm-segv from ubuntu_stress_smoke_test failed on B (LP: #1864063)
    - Revert "apparmor: don't try to replace stale label in ptrace access check"

linux (4.15.0-89.89) bionic; urgency=medium

  * bionic/linux: 4.15.0-89.89 -proposed tracker (LP: #1863350)

  * [SRU][B/OEM-B] Fix multitouch support on some devices (LP: #1862567)
    - HID: core: move the dynamic quirks handling in core
    - HID: quirks: move the list of special devices into a quirk
    - HID: core: move the list of ignored devices in hid-quirks.c
    - HID: core: remove the absolute need of hid_have_special_driver[]

  * [linux] Patch to prevent possible data corruption (LP: #1848739)
    - blk-mq: silence false positive warnings in hctx_unlock()

  * Add bpftool to linux-tools-common (LP: #1774815)
    - tools/bpftool: fix bpftool build with bintutils >= 2.9
    - bpftool: make libbfd optional
    - [Debian] Remove binutils-dev build dependency
    - [Debian] package bpftool in linux-tools-common

  * Root can lift kernel lockdown via USB/IP (LP: #1861238)
    - Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift kernel
      lockdown"

  * [Bionic] i915 incomplete fix for CVE-2019-14615 (LP: #1862840) //
    CVE-2020-8832
    - drm/i915: Use same test for eviction and submitting kernel context
    - drm/i915: Define an engine class enum for the uABI
    - drm/i915: Force the switch to the i915->kernel_context
    - drm/i915: Move GT powersaving init to i915_gem_init()
    - drm/i915: Move intel_init_clock_gating() to i915_gem_init()
    - drm/i915: Inline intel_modeset_gem_init()
    - drm/i915: Mark the context state as dirty/written
    - drm/i915: Record the default hw state after reset upon load

  * Bionic update: upstream stable patchset 2020-02-12 (LP: #1863019)
    - xfs: Sanity check flags of Q_XQUOTARM call
    - mfd: intel-lpss: Add default I2C device properties for Gemini Lake
    - powerpc/archrandom: fix arch_get_random_seed_int()
    - tipc: fix wrong timeout input for tipc_wait_for_cond()
    - mt7601u: fix bbp version check in mt7601u_wait_bbp_ready
    - crypto: sun4i-ss - fix big endian issues
    - drm/sti: do not remove the drm_bridge that was never added
    - drm/virtio: fix bounds check in virtio_gpu_cmd_get_capset()
    - ALSA: hda: fix unused variable warning
    - apparmor: don't try to replace stale label in ptrace access chec...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers