oss-sec mailing list archives

Re: Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver)

From: Ben Hutchings <ben.hutchings () codethink co uk>
Date: Thu, 07 Feb 2019 18:13:25 +0000

On Thu, 2019-01-24 at 10:30 +0100, Yves-Alexis Perez wrote:

On Wed, 2019-01-23 at 14:28 -0600, Timothy Michaud wrote:

NOTE: I have requested a CVE identifier, and I'm sending this message, to
make tracking of the fix easier; however, to avoid missing security fixes
without CVE identifiers, you should *NOT* be cherry-picking a specific
patch in response to a notification about a kernel security bug.

Due to a lack of "access_ok()" checks in i915_gem_execbuffer2_ioctl[1], it
is possible to escalate privileges similar to the waitid vulnerability[2]


Hi, thanks for the report.

The patch doesn't seem CC: stable, could you give us a status on the various
stable releases?


Is there even a real security issue here?  So far as I can see,
i915_gem_execbuffer2_ioctl() writes to a subset of the user memory
range that it previously read using copy_from_user().  copy_from_user()
does include the range check.

Ben.

-- 
Ben Hutchings, Software Developer                         Codethink Ltd
https://www.codethink.co.uk/                 Dale House, 35 Dale Street
                                     Manchester, M1 2HF, United Kingdom

Current thread:

Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver) Timothy Michaud (Jan 23)
- Re: Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver) Yves-Alexis Perez (Jan 24)
- <Possible follow-ups>
- Re: Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver) Ben Hutchings (Feb 07)
  - Re: Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver) Timothy Michaud (Feb 07)