[Intel-gfx] Linux kernel: drivers/gpu/drm/i915/i915_gem.c: i915_gem_pread_ioctl similar Double-Fetch bug
sohu0106
sohu0106 at 126.com
Sat Dec 16 14:34:47 UTC 2017
Hi,
I found a similar Double-Fetch bug in drivers/gpu/drm/i915/i915_gem.c when I was examining the source code.
In function i915_gem_pread_ioctl(), the driver check user space data by pointer data_ptr via access_ok() in line 694, and after run a while, in function shmem_pread_slow in line 657 or shmem_pread_fast in line 639, finally it use __copy_to_user with no check user space pointer.
If the args->data_ptr is modified by a user thread under race condition between the check and __copy_to_user operations, for example changing to a kernel address, this will lead to Arbitrary kernel address writing(caused by __copy_to_user() ).
I am looking forward to a reply on this, thank you!
More information about the Intel-gfx
mailing list