Message ID | 20200114204751.17496-1-tyhicks@canonical.com |
---|---|
Headers | show |
Series | i915 info leak and use-after-free | expand |
On 2020-01-14 20:47:49 , Tyler Hicks wrote: > https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14615.html > > Insufficient control flow in certain data structures for some Intel(R) > Processors with Intel Processor Graphics may allow an unauthenticated > user to potentially enable information disclosure via local access > > https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-7053.html > > A race condition can lead to a use-after-free in the i915 driver while > destroying GEM contexts. A local attacker could use this flaw to > perform a denial of service (system crash) or possibly execute code. > > Tested on a Gen9 system to ensure that the info leak fix does not > exhibit unexpected behavior. The use-after-free fix was verified using a > PoC with a kernel test build with KASAN enabled. > > Tyler > > Akeem G Abodunrin (1): > drm/i915/gen9: Clear residual context state on context switch > > Tyler Hicks (1): > UBUNTU: SAUCE: drm/i915: Fix use-after-free when destroying GEM > context > > drivers/gpu/drm/i915/i915_gem_context.c | 13 +++++++------ > drivers/gpu/drm/i915/intel_lrc.c | 19 ++++++++----------- > 2 files changed, 15 insertions(+), 17 deletions(-) > Acked-by: Khalid Elmously <khalid.elmously@canonical.com>
On 1/14/20 12:47 PM, Tyler Hicks wrote: > https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14615.html > > Insufficient control flow in certain data structures for some Intel(R) > Processors with Intel Processor Graphics may allow an unauthenticated > user to potentially enable information disclosure via local access > > https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-7053.html > > A race condition can lead to a use-after-free in the i915 driver while > destroying GEM contexts. A local attacker could use this flaw to > perform a denial of service (system crash) or possibly execute code. > > Tested on a Gen9 system to ensure that the info leak fix does not > exhibit unexpected behavior. The use-after-free fix was verified using a > PoC with a kernel test build with KASAN enabled. > > Tyler > > Akeem G Abodunrin (1): > drm/i915/gen9: Clear residual context state on context switch > > Tyler Hicks (1): > UBUNTU: SAUCE: drm/i915: Fix use-after-free when destroying GEM > context > > drivers/gpu/drm/i915/i915_gem_context.c | 13 +++++++------ > drivers/gpu/drm/i915/intel_lrc.c | 19 ++++++++----------- > 2 files changed, 15 insertions(+), 17 deletions(-) > Acked-by: Connor Kuehl <connor.kuehl@canonical.com>