Intel Linux Kernel Graphics Driver Patched For New Security Sensitive Bug
Intel has disclosed CVE-2022-4139 as an incorrect GPU TLB flushing issue within their Linux kernel graphics driver. In some cases the translation lookaside buffer (TLB) is not flushed at all. At the very least there could be random memory corruption or data leaks while it's not yet been determined if specific memory could be targeted on affected Linux kernel versions up to this point. All versions from Linux 5.4 up through today's latest kernel versions are believed to be impacted when using Intel Gen12 integrated/discrete graphics. This though amounts to an Intel driver issue and not a hardware problem itself.
The oss-sec list disclosure from Intel notes:
Incorrect GPU TLB flush code has been discovered in i915 kernel driver.
In some cases (Gen12 hardware with specific types of engine) the engine's TLB is not flushed at all. Depending on whether the GPU is running behind an active IOMMU there are two possible scenarios which can happen, due to stale TLB mapping: 1. Without IOMMU - GPU can still access physical memory which could be already assigned by OS to different process. 2. With IOMMU - GPU can access any memory, if the malicious process is able to create/reuse necessary IOMMU mappings.
It is currently not known if specific memory could be targeted, but random memory corruption or data leaks are a known possibility.
All Intel integrated and discrete GPUs Gen12 are affected, including Tiger Lake, Rocket Lake, Alder Lake, DG1, Raptor Lake, DG2, Arctic Sound, Meteor Lake. Fix has already been developed and consists of fixing the method of writing to specific registers.
Linus Torvalds just merged this five lines of code for mitigating the TLB invalidation on Intel Gen12 graphics for the video and compute engines.
drm/i915: fix TLB invalidation for Gen12 video and compute engines
In case of Gen12 video and compute engines, TLB_INV registers are masked - to modify one bit, corresponding bit in upper half of the register must be enabled, otherwise nothing happens.
This small patch should be back-ported to Linux stable series in short order.