On Sat, 16 Dec 2017, sohu0106 <sohu0106@xxxxxxx> wrote: > I found a similar Double-Fetch bug in drivers/gpu/drm/i915/i915_gem.c > when I was examining the source code. Similar to what? > In function i915_gem_pread_ioctl(), the driver check user space data > by pointer data_ptr via access_ok() in line 694, and after run a > while, in function shmem_pread_slow in line 657 or shmem_pread_fast in > line 639, finally it use __copy_to_user with no check user space > pointer. > > If the args->data_ptr is modified by a user thread under race > condition between the check and __copy_to_user operations, for example > changing to a kernel address, this will lead to Arbitrary kernel > address writing(caused by __copy_to_user() ). See drm_ioctl() for why this is not a possible scenario. BR, Jani. -- Jani Nikula, Intel Open Source Technology Center _______________________________________________ Intel-gfx mailing list Intel-gfx@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/intel-gfx
