CVE-2019-0155 and CVE-2019-0154 - i915 Graphic Driver flaws

Updated -

Overview

Red Hat is aware of two flaws in the i915 graphics hardware requiring updates to the Linux kernel. These vulnerabilities only apply to a subset of x86-64 systems using Intel processors with embedded i915 based GPU’s.

The first issue, assigned CVE-2019-0155 and is rated Important, allows a local attacker to bypass conventional memory security restrictions. This allows write access to privileged memory that would otherwise be inaccessible.

The second issue, assigned CVE-2019-0154 and is rated Moderate, allows an unprivileged, local attacker to create an invalid state while the GPU is in low-power mode. This allows the system to become inaccessible and requires a system restart to resume normal operations.

Background

The i915 kernel code covers a diverse range of chips for the on-die CPU/GPU combination shipped by Intel in many products. This driver is widely used since the Pentium 4 processor and has had various levels of improvements throughout the life of the product.

The affected GPUs are not an external PCI-E card, but is instead an on-die CPU component. This graphics card requires motherboard support which provides the physical connection mechanism to the output device.

These flaws do not affect all i915-based hardware. Consult the Determine Vulnerability section below to determine if your system is affected.

Determine Vulnerability

  • The specific hardware is only available on the i915 kernel module. Other graphics cards are not affected. The lsmod command will show if the i915 kernel module is in use.
$ lsmod | grep ^i915
i915                2248704  10

If the lsmod command returns a line starting with i915 then continue, otherwise you are not affected.

  • Find the CPU model provided by your system. The example below is an “Intel Core i7-7600U”.
$ cat /proc/cpuinfo |grep "model name" |head -n 1
model name    : Intel(R) Core(TM) i7-7600U CPU @ 2.80GHz
  • Determine the hardware generation with instructions from Intel’s instructions ( See Intel’s Processor number identification guide)

  • Compare the processor “Brand” and “Generation identifier” to the list of affected configurations below.

Affected Configurations

The systems affected by CVE-2019-0154 are:

  • Red Hat Enterprise Linux 6 ( kernel-2.6.32-612.el6 and later)
  • Red Hat Enterprise Linux 7 ( kernel-3.10.0-422.el7 and later)
  • Red Hat Enterprise Linux 8

Red Hat Enterprise Linux 7.2 (and z streams) and earlier are not affected by default and is only affected if the system is booted with the kernel parameter i915.preliminary_hw_support=1. This parameter is not enabled by default.

Running on hardware:

  • Ivy Bridge (Intel Core Generation 7 CPUs and later
  • Cherry Trail (Intel Core Generation 8 CPUs) and later
  • Intel XEON E3-1200 and later product families

The systems affected by CVE-2019-0155 are:

  • Red Hat Enterprise Linux 7 ( kernel-3.10.0-422.el7 and later)
  • Red Hat Enterprise Linux 8

Running on hardware:

  • Sky Lake and Apollo Lake (Intel Core Generation 9 CPUS) and later
  • Intel Xeon Processor (E3-1500 v5) family

Systems containing chipsets earlier than the above listed in the same family are not affected. Other graphics card vendors are not affected by this flaw.

Resolution

A kernel update that will solve the issue will be released for all Red Hat Enterprise Linux releases that qualify for an update.

Acknowledgements

Red Hat thanks Intel and their industry partner for reporting this issue.

Frequently Asked Questions

Q: Will blacklisting the kernel module provide mitigation ?

A: Preventing loading of the i915 kernel module will prevent attackers from using this exploit against the system; however, the power management functionality of the card will be disabled and the system may draw additional power. See “How do I blacklist a kernel module to prevent it from loading automatically?“ for instructions on how to disable a kernel module from autoloading. Graphical displays may also be at low resolution or not work correctly. This mitigation may not be suitable if running graphical tools locally is required.

Additional Information

List of Intel graphics processing units
About Intel Processor Numbers
Intel-SA-00242 for CVE-2019-0155
Intel-SA-00260 for CVE-2019-0154