search

speed47 / spectre-meltdown-checker

Reptar, Downfall, Zenbleed, ZombieLoad, RIDL, Fallout, Foreshadow, Spectre, Meltdown vulnerability/mitigation checker for Linux & BSD
3.85k stars 476 forks source link

New vulnerability: CVE-2019-14615 / INTEL-SA-00314 #340

Open johnnyapol opened 4 years ago

johnnyapol commented 4 years ago

"Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor Graphics may allow an unauthenticated user to potentially enable information disclosure via local access."

Intel Security Advisory: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00314.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=%20CVE-2019-14615

speed47 commented 4 years ago

Thanks for the notice. This CVE is part of the now-monthly batch of Intel CVEs, and this one is about the GPU part of the Intel CPU. As the fix is simply to update the driver, I wont implement it in spectre-meltdown-checker. Leaving this open and tagged as "information". For reference, the below commit is the fix.

:

commit 53b9bd37af59d1def99b20707536105857eb9bd0
Author: Akeem G Abodunrin <akeem.g.abodunrin@intel.com>
Date:   Wed Jan 8 09:34:16 2020 -0800

    drm/i915/gen9: Clear residual context state on context switch

    commit bc8a76a152c5f9ef3b48104154a65a68a8b76946 upstream.

    Intel ID: PSIRT-TA-201910-001
    CVEID: CVE-2019-14615

    Intel GPU Hardware prior to Gen11 does not clear EU state
    during a context switch. This can result in information
    leakage between contexts.

    For Gen8 and Gen9, hardware provides a mechanism for
    fast cleardown of the EU state, by issuing a PIPE_CONTROL
    with bit 27 set. We can use this in a context batch buffer
    to explicitly cleardown the state on every context switch.

    As this workaround is already in place for gen8, we can borrow
    the code verbatim for Gen9.

    Signed-off-by: Mika Kuoppala <mika.kuoppala@linux.intel.com>
    Signed-off-by: Akeem G Abodunrin <akeem.g.abodunrin@intel.com>
    Cc: Kumar Valsan Prathap <prathap.kumar.valsan@intel.com>
    Cc: Chris Wilson <chris.p.wilson@intel.com>
    Cc: Balestrieri Francesco <francesco.balestrieri@intel.com>
    Cc: Bloomfield Jon <jon.bloomfield@intel.com>
    Cc: Dutt Sudeep <sudeep.dutt@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/gpu/drm/i915/gt/intel_lrc.c b/drivers/gpu/drm/i915/gt/intel_lrc.c
index 1ba31969c7d2..4949b5ad860f 100644
--- a/drivers/gpu/drm/i915/gt/intel_lrc.c
+++ b/drivers/gpu/drm/i915/gt/intel_lrc.c
@@ -2132,6 +2132,14 @@ static u32 *gen9_init_indirectctx_bb(struct intel_engine_cs *engine, u32 *batch)
        /* WaFlushCoherentL3CacheLinesAtContextSwitch:skl,bxt,glk */
        batch = gen8_emit_flush_coherentl3_wa(engine, batch);

+       /* WaClearSlmSpaceAtContextSwitch:skl,bxt,kbl,glk,cfl */
+       batch = gen8_emit_pipe_control(batch,
+                                      PIPE_CONTROL_FLUSH_L3 |
+                                      PIPE_CONTROL_GLOBAL_GTT_IVB |
+                                      PIPE_CONTROL_CS_STALL |
+                                      PIPE_CONTROL_QW_WRITE,
+                                      slm_offset(engine));
+
        batch = emit_lri(batch, lri, ARRAY_SIZE(lri));

        /* WaMediaPoolStateCmdInWABB:bxt,glk */