Submission to the Ubuntu kernel-team list: https://lists.ubuntu.com/archives/kernel-team/2020-February/107444.html
-- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1862840 Title: [Bionic] i915 incomplete fix for CVE-2019-14615 Status in linux package in Ubuntu: Invalid Status in linux source package in Bionic: In Progress Bug description: [Impact] Gregory Herrero reported that the proof-of-concept for CVE-2019-14615 indicates that the information leak is not fixed in the Bionic 4.15 kernel as indicated by USN-4255-1: https://usn.ubuntu.com/4255-1/ This only affects Ubuntu's 4.15 kernel series. Xenial (4.4), Disco (5.0), Eoan (5.3), and Focal (5.4) are not affected by this incomplete fix issue. I've verified this by testing each Ubuntu release with the proof-of- concept. I then tested vanilla 4.15 with commit bc8a76a152c5 ("drm/i915/gen9: Clear residual context state on context switch") applied, which is the fix for CVE-2019-14615, and verified that the proof-of-concept showed that the info leak was still possible. I then tested vanilla 4.16 with commit bc8a76a152c5 applied to verify that the proof-of-concept showed that the info leak was fixed. After bisecting changes to the DRM subsystem as well as the i915 driver, it looks like commit d2b4b97933f5 ("drm/i915: Record the default hw state after reset upon load") as well as its prerequisites are necessary to fully fix CVE-2019-14615 in 4.15 based kernels. [Test Case] A proof-of-concept for CVE-2019-14615 became available once the issue was made public. It can be found here: https://github.com/HE-Wenjian/iGPU-Leak Steps to use the proof-of-concept: $ git clone https://github.com/HE-Wenjian/iGPU-Leak.git # In one terminal $ cd iGPU-Leak/demo/SLM_Leak/ $ ./run_victim.sh # In another terminal $ cd iGPU-Leak/demo/SLM_Leak/ $ ./run_attacker.sh # In the terminal running run_attacker.sh, ensure that all data dumped # to the terminal is zeros and that there is no non-zero data. You'll # have to closely monitor the script for a minute or so to ensure that # the information leak is not possible. [Regression Potential] High as the changes are complex in comparison to the typical SRU. However, the bulk of the change is to the initialization stages of the driver and we're just pulling back changes that landed in 4.16-rc1 to our 4.15 kernel. I don't see any later Fixes tags that reference the needed commits. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1862840/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
