use-after-free in i915_ppgtt_close

Bug #1859522 reported by Tyler Hicks on 2020-01-13
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Tyler Hicks
Bionic
High
Tyler Hicks
Disco
High
Tyler Hicks

Bug Description

[Impact]

Quan Luo and ycq from Codesafe Team of Legendsec at Qi'anxin Group reported a use-after-free issue in the i915 driver. This issue has been fixed in the upstream kernel starting in v5.2 with the following commit:

 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7dc40713618c884bf07c030d1ab1f47a9dc1f310

The flaw was introduced in v4.14 with this change:

 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1acfc104cdf8a3408f0e83b4115d4419c6315005

The problem can be fixed by expanding the usage of struct_mutex to include the GEM context lookup. A fix has been submitted to the upstream stable list:

 https://<email address hidden>/T/#u

[Test Case]

Enable KASAN and exercise the affected code path using the PoC provided by Quan Luo.

[Regression Potential]

Low. This approach was suggested by upstream and has been well tested.

CVE References

Tyler Hicks (tyhicks) on 2020-01-13
description: updated
Changed in linux (Ubuntu):
status: In Progress → Fix Released
Changed in linux (Ubuntu Bionic):
status: New → In Progress
Changed in linux (Ubuntu Disco):
status: New → In Progress
Changed in linux (Ubuntu Bionic):
importance: Undecided → High
Changed in linux (Ubuntu Disco):
importance: Undecided → High
Changed in linux (Ubuntu Bionic):
assignee: nobody → Tyler Hicks (tyhicks)
Changed in linux (Ubuntu Disco):
assignee: nobody → Tyler Hicks (tyhicks)
Tyler Hicks (tyhicks) on 2020-01-14
information type: Private Security → Public Security
description: updated
Tyler Hicks (tyhicks) wrote :

This is CVE-2020-7053

Marcelo Cerri (mhcerri) on 2020-01-15
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
Marcelo Cerri (mhcerri) on 2020-01-15
Changed in linux (Ubuntu Disco):
status: In Progress → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-disco' to 'verification-done-disco'. If the problem still exists, change the tag 'verification-needed-disco' to 'verification-failed-disco'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-disco
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers