*** This bug is a security vulnerability *** Public security bug reported:
[Impact] Gregory Herrero reported that the proof-of-concept for CVE-2019-14615 indicates that the information leak is not fixed in the Bionic 4.15 kernel as indicated by USN-4255-1: https://usn.ubuntu.com/4255-1/ This only affects Ubuntu's 4.15 kernel series. Xenial (4.4), Disco (5.0), Eoan (5.3), and Focal (5.4) are not affected by this incomplete fix issue. I've verified this by testing each Ubuntu release with the proof-of- concept. I then tested vanilla 4.15 with commit bc8a76a152c5 ("drm/i915/gen9: Clear residual context state on context switch") applied, which is the fix for CVE-2019-14615, and verified that the proof-of-concept showed that the info leak was still possible. I then tested vanilla 4.16 with commit bc8a76a152c5 applied to verify that the proof-of-concept showed that the info leak was fixed. After bisecting changes to the DRM subsystem as well as the i915 driver, it looks like commit d2b4b97933f5 ("drm/i915: Record the default hw state after reset upon load") as well as its prerequisites are necessary to fully fix CVE-2019-14615 in 4.15 based kernels. [Test Case] A proof-of-concept for CVE-2019-14615 became available once the issue was made public. It can be found here: https://github.com/HE-Wenjian/iGPU-Leak Steps to use the proof-of-concept: $ git clone https://github.com/HE-Wenjian/iGPU-Leak.git # In one terminal $ cd iGPU-Leak/demo/SLM_Leak/ $ ./run_victim.sh # In another terminal $ cd iGPU-Leak/demo/SLM_Leak/ $ ./run_attacker.sh # In the terminal running run_attacker.sh, ensure that all data dumped # to the terminal is zeros and that there is no non-zero data. You'll # have to closely monitor the script for a minute or so to ensure that # the information leak is not possible. [Regression Potential] TODO ** Affects: linux (Ubuntu) Importance: High Assignee: Tyler Hicks (tyhicks) Status: Invalid ** Affects: linux (Ubuntu Bionic) Importance: High Assignee: Tyler Hicks (tyhicks) Status: In Progress ** Also affects: linux (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Bionic) Status: New => In Progress ** Changed in: linux (Ubuntu Bionic) Importance: Undecided => High ** Changed in: linux (Ubuntu Bionic) Assignee: (unassigned) => Tyler Hicks (tyhicks) ** Changed in: linux (Ubuntu) Status: In Progress => Invalid ** Description changed: [Impact] Gregory Herrero reported that the proof-of-concept for CVE-2019-14615 indicates that the information leak is not fixed in the Bionic 4.15 kernel as indicated by USN-4255-1: - https://usn.ubuntu.com/4255-1/ + https://usn.ubuntu.com/4255-1/ After bisecting changes to the DRM subsystem as well as the i915 driver, it looks like commit d2b4b97933f5 ("drm/i915: Record the default hw state after reset upon load") as well as some prerequisites are necessary. + This only affects Ubuntu's 4.15 kernel series. Xenial (4.4), Disco + (5.0), Eoan (5.3), and Focal (5.4) are not affected by this incomplete + fix issue. + [Test Case] A proof-of-concept for CVE-2019-14615 became available once the issue was made public. It can be found here: - https://github.com/HE-Wenjian/iGPU-Leak + https://github.com/HE-Wenjian/iGPU-Leak Steps to use the proof-of-concept: - $ git clone https://github.com/HE-Wenjian/iGPU-Leak.git + $ git clone https://github.com/HE-Wenjian/iGPU-Leak.git - # In one terminal - $ cd iGPU-Leak/demo/SLM_Leak/ - $ ./run_victim.sh + # In one terminal + $ cd iGPU-Leak/demo/SLM_Leak/ + $ ./run_victim.sh - # In another terminal - $ cd iGPU-Leak/demo/SLM_Leak/ - $ ./run_attacker.sh + # In another terminal + $ cd iGPU-Leak/demo/SLM_Leak/ + $ ./run_attacker.sh - # In the terminal running run_attacker.sh, ensure that all data dumped - # to the terminal is zeros and that there is no non-zero data. You'll - # have to closely monitor the script for a minute or so to ensure that - # the information leak is not possible. + # In the terminal running run_attacker.sh, ensure that all data dumped + # to the terminal is zeros and that there is no non-zero data. You'll + # have to closely monitor the script for a minute or so to ensure that + # the information leak is not possible. [Regression Potential] TODO ** Description changed: [Impact] Gregory Herrero reported that the proof-of-concept for CVE-2019-14615 indicates that the information leak is not fixed in the Bionic 4.15 kernel as indicated by USN-4255-1: https://usn.ubuntu.com/4255-1/ - After bisecting changes to the DRM subsystem as well as the i915 driver, - it looks like commit d2b4b97933f5 ("drm/i915: Record the default hw - state after reset upon load") as well as some prerequisites are - necessary. - This only affects Ubuntu's 4.15 kernel series. Xenial (4.4), Disco (5.0), Eoan (5.3), and Focal (5.4) are not affected by this incomplete fix issue. + + I've verified this by testing each Ubuntu release with the proof-of- + concept. I then tested vanilla 4.15 with commit bc8a76a152c5 + ("drm/i915/gen9: Clear residual context state on context switch") + applied, which is the fix for CVE-2019-14615, and verified that the + proof-of-concept showed that the info leak was still possible. I then + tested vanilla 4.16 with commit bc8a76a152c5 applied to verify that the + proof-of-concept showed that the info leak was fixed. + + After bisecting changes to the DRM subsystem as well as the i915 driver, + it looks like commit d2b4b97933f5 ("drm/i915: Record the default hw + state after reset upon load") as well as its prerequisites are necessary + to fully fix CVE-2019-14615 in 4.15 based kernels. [Test Case] A proof-of-concept for CVE-2019-14615 became available once the issue was made public. It can be found here: https://github.com/HE-Wenjian/iGPU-Leak Steps to use the proof-of-concept: $ git clone https://github.com/HE-Wenjian/iGPU-Leak.git # In one terminal $ cd iGPU-Leak/demo/SLM_Leak/ $ ./run_victim.sh # In another terminal $ cd iGPU-Leak/demo/SLM_Leak/ $ ./run_attacker.sh # In the terminal running run_attacker.sh, ensure that all data dumped # to the terminal is zeros and that there is no non-zero data. You'll # have to closely monitor the script for a minute or so to ensure that # the information leak is not possible. [Regression Potential] TODO -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1862840 Title: [Bionic] i915 incomplete fix for CVE-2019-14615 Status in linux package in Ubuntu: Invalid Status in linux source package in Bionic: In Progress Bug description: [Impact] Gregory Herrero reported that the proof-of-concept for CVE-2019-14615 indicates that the information leak is not fixed in the Bionic 4.15 kernel as indicated by USN-4255-1: https://usn.ubuntu.com/4255-1/ This only affects Ubuntu's 4.15 kernel series. Xenial (4.4), Disco (5.0), Eoan (5.3), and Focal (5.4) are not affected by this incomplete fix issue. I've verified this by testing each Ubuntu release with the proof-of- concept. I then tested vanilla 4.15 with commit bc8a76a152c5 ("drm/i915/gen9: Clear residual context state on context switch") applied, which is the fix for CVE-2019-14615, and verified that the proof-of-concept showed that the info leak was still possible. I then tested vanilla 4.16 with commit bc8a76a152c5 applied to verify that the proof-of-concept showed that the info leak was fixed. After bisecting changes to the DRM subsystem as well as the i915 driver, it looks like commit d2b4b97933f5 ("drm/i915: Record the default hw state after reset upon load") as well as its prerequisites are necessary to fully fix CVE-2019-14615 in 4.15 based kernels. [Test Case] A proof-of-concept for CVE-2019-14615 became available once the issue was made public. It can be found here: https://github.com/HE-Wenjian/iGPU-Leak Steps to use the proof-of-concept: $ git clone https://github.com/HE-Wenjian/iGPU-Leak.git # In one terminal $ cd iGPU-Leak/demo/SLM_Leak/ $ ./run_victim.sh # In another terminal $ cd iGPU-Leak/demo/SLM_Leak/ $ ./run_attacker.sh # In the terminal running run_attacker.sh, ensure that all data dumped # to the terminal is zeros and that there is no non-zero data. You'll # have to closely monitor the script for a minute or so to ensure that # the information leak is not possible. [Regression Potential] TODO To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1862840/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
