[PATCH v4.19.x] make 'user_access_begin()' do 'access_ok()'

Ashwin H ashwinh at vmware.com
Wed May 13 17:08:19 UTC 2020


> Ok, but what does that mean for us?
> 
> You need to say why you are sending a patch, otherwise we will guess wrong.

In drivers/gpu/drm/i915/i915_gem_execbuffer.c, ioctl functions does user_access_begin() without doing access_ok(Checks if a user space pointer is valid)  first.
A local attacker can craft a malicious ioctl function call to overwrite arbitrary kernel memory, resulting in a Denial of Service or privilege escalation (CVE-2018-20669)

This patch makes sure that user_access_begin always does access_ok. 
user_access_begin has been modified to do access_ok internally.

Thanks,
Ashwin


More information about the dri-devel mailing list