* Linux kernel: drivers/gpu/drm/i915/i915_gem.c: i915_gem_pread_ioctl similar Double-Fetch bug
@ 2017-12-16 14:34 sohu0106
2017-12-18 8:04 ` Jani Nikula
0 siblings, 1 reply; 3+ messages in thread
From: sohu0106 @ 2017-12-16 14:34 UTC (permalink / raw)
To: jani.nikula, joonas.lahtinen, rodrigo.vivi; +Cc: intel-gfx
Hi,
I found a similar Double-Fetch bug in drivers/gpu/drm/i915/i915_gem.c when I was examining the source code.
In function i915_gem_pread_ioctl(), the driver check user space data by pointer data_ptr via access_ok() in line 694, and after run a while, in function shmem_pread_slow in line 657 or shmem_pread_fast in line 639, finally it use __copy_to_user with no check user space pointer.
If the args->data_ptr is modified by a user thread under race condition between the check and __copy_to_user operations, for example changing to a kernel address, this will lead to Arbitrary kernel address writing(caused by __copy_to_user() ).
I am looking forward to a reply on this, thank you!
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Linux kernel: drivers/gpu/drm/i915/i915_gem.c: i915_gem_pread_ioctl similar Double-Fetch bug
2017-12-16 14:34 Linux kernel: drivers/gpu/drm/i915/i915_gem.c: i915_gem_pread_ioctl similar Double-Fetch bug sohu0106
@ 2017-12-18 8:04 ` Jani Nikula
2017-12-18 11:48 ` 回复: " sohu0106
0 siblings, 1 reply; 3+ messages in thread
From: Jani Nikula @ 2017-12-18 8:04 UTC (permalink / raw)
To: sohu0106, joonas.lahtinen, rodrigo.vivi; +Cc: intel-gfx
On Sat, 16 Dec 2017, sohu0106 <sohu0106@126.com> wrote:
> I found a similar Double-Fetch bug in drivers/gpu/drm/i915/i915_gem.c
> when I was examining the source code.
Similar to what?
> In function i915_gem_pread_ioctl(), the driver check user space data
> by pointer data_ptr via access_ok() in line 694, and after run a
> while, in function shmem_pread_slow in line 657 or shmem_pread_fast in
> line 639, finally it use __copy_to_user with no check user space
> pointer.
>
> If the args->data_ptr is modified by a user thread under race
> condition between the check and __copy_to_user operations, for example
> changing to a kernel address, this will lead to Arbitrary kernel
> address writing(caused by __copy_to_user() ).
See drm_ioctl() for why this is not a possible scenario.
BR,
Jani.
--
Jani Nikula, Intel Open Source Technology Center
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply [flat|nested] 3+ messages in thread
* 回复: Linux kernel: drivers/gpu/drm/i915/i915_gem.c: i915_gem_pread_ioctl similar Double-Fetch bug
2017-12-18 8:04 ` Jani Nikula
@ 2017-12-18 11:48 ` sohu0106
0 siblings, 0 replies; 3+ messages in thread
From: sohu0106 @ 2017-12-18 11:48 UTC (permalink / raw)
To: Jani Nikula, joonas.lahtinen, rodrigo.vivi; +Cc: intel-gfx
[-- Attachment #1: Type: text/html, Size: 1973 bytes --]
[-- Attachment #2: Type: text/plain, Size: 160 bytes --]
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-12-18 12:02 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-12-16 14:34 Linux kernel: drivers/gpu/drm/i915/i915_gem.c: i915_gem_pread_ioctl similar Double-Fetch bug sohu0106
2017-12-18 8:04 ` Jani Nikula
2017-12-18 11:48 ` 回复: " sohu0106
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.