use-after-free in i915_ppgtt_close
Bug #1859522 reported by
Tyler Hicks
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Tyler Hicks | ||
Bionic |
Fix Released
|
High
|
Tyler Hicks | ||
Disco |
Fix Released
|
High
|
Tyler Hicks |
Bug Description
[Impact]
Quan Luo and ycq from Codesafe Team of Legendsec at Qi'anxin Group reported a use-after-free issue in the i915 driver. This issue has been fixed in the upstream kernel starting in v5.2 with the following commit:
The flaw was introduced in v4.14 with this change:
The problem can be fixed by expanding the usage of struct_mutex to include the GEM context lookup. A fix has been submitted to the upstream stable list:
https://<email address hidden>/T/#u
[Test Case]
Enable KASAN and exercise the affected code path using the PoC provided by Quan Luo.
[Regression Potential]
Low. This approach was suggested by upstream and has been well tested.
CVE References
description: | updated |
Changed in linux (Ubuntu): | |
status: | In Progress → Fix Released |
Changed in linux (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in linux (Ubuntu Disco): | |
status: | New → In Progress |
Changed in linux (Ubuntu Bionic): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Disco): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Bionic): | |
assignee: | nobody → Tyler Hicks (tyhicks) |
Changed in linux (Ubuntu Disco): | |
assignee: | nobody → Tyler Hicks (tyhicks) |
information type: | Private Security → Public Security |
description: | updated |
Changed in linux (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Disco): | |
status: | In Progress → Fix Committed |
To post a comment you must log in.
This is CVE-2020-7053