Re: Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver)

[Timothy Michaud <tmm08a () acu edu>]

Hi Ben,

I believe you're correct. (grsecurity agrees with you for what it's worth).
I've emailed mitre but have not heard back yet.

Cheers,

Tim M.

On Thu, Feb 7, 2019 at 12:13 PM Ben Hutchings <ben.hutchings () codethink co uk>
wrote:

> On Thu, 2019-01-24 at 10:30 +0100, Yves-Alexis Perez wrote:
> > On Wed, 2019-01-23 at 14:28 -0600, Timothy Michaud wrote:
> > > NOTE: I have requested a CVE identifier, and I'm sending this message,
> to
> > > make tracking of the fix easier; however, to avoid missing security
> fixes
> > > without CVE identifiers, you should *NOT* be cherry-picking a specific
> > > patch in response to a notification about a kernel security bug.
> > >
> > > Due to a lack of "access_ok()" checks in
> i915_gem_execbuffer2_ioctl[1], it
> > > is possible to escalate privileges similar to the waitid
> vulnerability[2]
> > Hi, thanks for the report.
> >
> > The patch doesn't seem CC: stable, could you give us a status on the
> various
> > stable releases?
>
> Is there even a real security issue here?  So far as I can see,
> i915_gem_execbuffer2_ioctl() writes to a subset of the user memory
> range that it previously read using copy_from_user().  copy_from_user()
> does include the range check.
>
> Ben.
>
> --
> Ben Hutchings, Software Developer                         Codethink Ltd
> https://www.codethink.co.uk/                 Dale House, 35 Dale Street
>                                      Manchester, M1 2HF, United Kingdom