回复: Linux kernel: drivers/gpu/drm/i915/i915_gem.c: i915_gem_pread_ioctl similar Double-Fetch bug

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



发自我的华为手机

i have see copy user pointer to a kernel temp struct before call i915_gem_pead_ioctl 
thanks for your reply

-------- 原始邮件 --------
主题:Re: Linux kernel: drivers/gpu/drm/i915/i915_gem.c: i915_gem_pread_ioctl similar Double-Fetch bug
发件人:Jani Nikula
收件人:sohu0106 ,joonas.lahtinen@xxxxxxxxxxxxxxx,rodrigo.vivi@xxxxxxxxx
抄送:intel-gfx@xxxxxxxxxxxxxxxxxxxxx


On Sat, 16 Dec 2017, sohu0106 wrote:
> I found a similar Double-Fetch bug in drivers/gpu/drm/i915/i915_gem.c
> when I was examining the source code. 

Similar to what?

> In function i915_gem_pread_ioctl(), the driver check user space data
> by pointer data_ptr via access_ok() in line 694, and after run a
> while, in function shmem_pread_slow in line 657 or shmem_pread_fast in
> line 639, finally it use __copy_to_user with no check user space
> pointer.
>
> If the args->data_ptr is modified by a user thread under race
> condition between the check and __copy_to_user operations, for example
> changing to a kernel address, this will lead to Arbitrary kernel
> address writing(caused by __copy_to_user() ).

See drm_ioctl() for why this is not a possible scenario.

BR,
Jani.

--
Jani Nikula, Intel Open Source Technology Center
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]
  Powered by Linux