oss-sec mailing list archives
Re: Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver)
From: Timothy Michaud <tmm08a () acu edu>
Date: Thu, 7 Feb 2019 13:17:25 -0600
Hi Ben, I believe you're correct. (grsecurity agrees with you for what it's worth). I've emailed mitre but have not heard back yet. Cheers, Tim M. On Thu, Feb 7, 2019 at 12:13 PM Ben Hutchings <ben.hutchings () codethink co uk> wrote:
On Thu, 2019-01-24 at 10:30 +0100, Yves-Alexis Perez wrote:On Wed, 2019-01-23 at 14:28 -0600, Timothy Michaud wrote:NOTE: I have requested a CVE identifier, and I'm sending this message,tomake tracking of the fix easier; however, to avoid missing securityfixeswithout CVE identifiers, you should *NOT* be cherry-picking a specific patch in response to a notification about a kernel security bug. Due to a lack of "access_ok()" checks ini915_gem_execbuffer2_ioctl[1], itis possible to escalate privileges similar to the waitidvulnerability[2]Hi, thanks for the report. The patch doesn't seem CC: stable, could you give us a status on thevariousstable releases?Is there even a real security issue here? So far as I can see, i915_gem_execbuffer2_ioctl() writes to a subset of the user memory range that it previously read using copy_from_user(). copy_from_user() does include the range check. Ben. -- Ben Hutchings, Software Developer Codethink Ltd https://www.codethink.co.uk/ Dale House, 35 Dale Street Manchester, M1 2HF, United Kingdom
Current thread:
- Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver) Timothy Michaud (Jan 23)
- Re: Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver) Yves-Alexis Perez (Jan 24)
- <Possible follow-ups>
- Re: Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver) Ben Hutchings (Feb 07)
- Re: Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver) Timothy Michaud (Feb 07)