| Message ID | 20200114204751.17496-1-tyhicks@canonical.com |
|---|---|
| Headers | show |
| Series | i915 info leak and use-after-free | expand |
On 2020-01-14 20:47:49 , Tyler Hicks wrote: > https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14615.html > > Insufficient control flow in certain data structures for some Intel(R) > Processors with Intel Processor Graphics may allow an unauthenticated > user to potentially enable information disclosure via local access > > https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-7053.html > > A race condition can lead to a use-after-free in the i915 driver while > destroying GEM contexts. A local attacker could use this flaw to > perform a denial of service (system crash) or possibly execute code. > > Tested on a Gen9 system to ensure that the info leak fix does not > exhibit unexpected behavior. The use-after-free fix was verified using a > PoC with a kernel test build with KASAN enabled. > > Tyler > > Akeem G Abodunrin (1): > drm/i915/gen9: Clear residual context state on context switch > > Tyler Hicks (1): > UBUNTU: SAUCE: drm/i915: Fix use-after-free when destroying GEM > context > > drivers/gpu/drm/i915/i915_gem_context.c | 13 +++++++------ > drivers/gpu/drm/i915/intel_lrc.c | 19 ++++++++----------- > 2 files changed, 15 insertions(+), 17 deletions(-) > Acked-by: Khalid Elmously <khalid.elmously@canonical.com>
On 1/14/20 12:47 PM, Tyler Hicks wrote: > https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14615.html > > Insufficient control flow in certain data structures for some Intel(R) > Processors with Intel Processor Graphics may allow an unauthenticated > user to potentially enable information disclosure via local access > > https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-7053.html > > A race condition can lead to a use-after-free in the i915 driver while > destroying GEM contexts. A local attacker could use this flaw to > perform a denial of service (system crash) or possibly execute code. > > Tested on a Gen9 system to ensure that the info leak fix does not > exhibit unexpected behavior. The use-after-free fix was verified using a > PoC with a kernel test build with KASAN enabled. > > Tyler > > Akeem G Abodunrin (1): > drm/i915/gen9: Clear residual context state on context switch > > Tyler Hicks (1): > UBUNTU: SAUCE: drm/i915: Fix use-after-free when destroying GEM > context > > drivers/gpu/drm/i915/i915_gem_context.c | 13 +++++++------ > drivers/gpu/drm/i915/intel_lrc.c | 19 ++++++++----------- > 2 files changed, 15 insertions(+), 17 deletions(-) > Acked-by: Connor Kuehl <connor.kuehl@canonical.com>
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14615.html Insufficient control flow in certain data structures for some Intel(R) Processors with Intel Processor Graphics may allow an unauthenticated user to potentially enable information disclosure via local access https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-7053.html A race condition can lead to a use-after-free in the i915 driver while destroying GEM contexts. A local attacker could use this flaw to perform a denial of service (system crash) or possibly execute code. Tested on a Gen9 system to ensure that the info leak fix does not exhibit unexpected behavior. The use-after-free fix was verified using a PoC with a kernel test build with KASAN enabled. Tyler Akeem G Abodunrin (1): drm/i915/gen9: Clear residual context state on context switch Tyler Hicks (1): UBUNTU: SAUCE: drm/i915: Fix use-after-free when destroying GEM context drivers/gpu/drm/i915/i915_gem_context.c | 13 +++++++------ drivers/gpu/drm/i915/intel_lrc.c | 19 ++++++++----------- 2 files changed, 15 insertions(+), 17 deletions(-)