oss-sec mailing list archives
Re: Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver)
From: Ben Hutchings <ben.hutchings () codethink co uk>
Date: Thu, 07 Feb 2019 18:13:25 +0000
On Thu, 2019-01-24 at 10:30 +0100, Yves-Alexis Perez wrote:
On Wed, 2019-01-23 at 14:28 -0600, Timothy Michaud wrote:NOTE: I have requested a CVE identifier, and I'm sending this message, to make tracking of the fix easier; however, to avoid missing security fixes without CVE identifiers, you should *NOT* be cherry-picking a specific patch in response to a notification about a kernel security bug. Due to a lack of "access_ok()" checks in i915_gem_execbuffer2_ioctl[1], it is possible to escalate privileges similar to the waitid vulnerability[2]Hi, thanks for the report. The patch doesn't seem CC: stable, could you give us a status on the various stable releases?
Is there even a real security issue here? So far as I can see, i915_gem_execbuffer2_ioctl() writes to a subset of the user memory range that it previously read using copy_from_user(). copy_from_user() does include the range check. Ben. -- Ben Hutchings, Software Developer Codethink Ltd https://www.codethink.co.uk/ Dale House, 35 Dale Street Manchester, M1 2HF, United Kingdom
Current thread:
- Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver) Timothy Michaud (Jan 23)
- Re: Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver) Yves-Alexis Perez (Jan 24)
- <Possible follow-ups>
- Re: Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver) Ben Hutchings (Feb 07)
- Re: Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver) Timothy Michaud (Feb 07)