oss-sec mailing list archives

Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver)

From: Timothy Michaud <tmm08a () acu edu>
Date: Wed, 23 Jan 2019 14:28:51 -0600

NOTE: I have requested a CVE identifier, and I'm sending this message, to
make tracking of the fix easier; however, to avoid missing security fixes
without CVE identifiers, you should *NOT* be cherry-picking a specific
patch in response to a notification about a kernel security bug.

Due to a lack of "access_ok()" checks in i915_gem_execbuffer2_ioctl[1], it
is possible to escalate privileges similar to the waitid vulnerability[2]

This is CVE-2018-20669

[1] -
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=594cc251fdd0d231d342d88b2fdff4bc42fb0690
[2] - https://salls.github.io/Linux-Kernel-CVE-2017-5123/

Current thread:

Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver) Timothy Michaud (Jan 23)
- Re: Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver) Yves-Alexis Perez (Jan 24)
- <Possible follow-ups>
- Re: Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver) Ben Hutchings (Feb 07)
  - Re: Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver) Timothy Michaud (Feb 07)