DescriptionEugene Teo (Security Response)
2010-09-27 06:24:50 UTC
Description of problem:
Kees found a flaw in the i915 GEM ioctl interface that does not check destination addresses during memory copies, allowing arbitrary memory writes into the kernel. The flaws are in drivers/gpu/drm/i915/i915_gem.c in i915_gem_pread_ioctl() and i915_gem_pwrite_ioctl(), which do no access_ok() checks on args->data_ptr. (Actually, there is one check path: i915_gem_gtt_pwrite_fast() does the check, but none of the other helpers do.).
Acknowledgements:
Red Hat would like to thank Kees Cook for reporting this issue.
Comment 3Eugene Teo (Security Response)
2010-09-27 07:01:09 UTC
Statement:
The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG did not include support for Graphics Execution Manager (GEM) in the i915 driver, and therefore are not affected by this issue.
Comment 4Eugene Teo (Security Response)
2010-10-12 06:54:03 UTC