Hi,
I found a similar Double-Fetch bug in drivers/gpu/drm/i915/i915_gem.c when I
was examining the source code.
In function i915_gem_pread_ioctl(), the driver check user space data by pointer
data_ptr via access_ok() in line 694, and after run a while, in function
shmem_pread_slow in line 657 or shmem_pread_fast in line 639, finally it use
__copy_to_user with no check user space pointer.
If the args->data_ptr is modified by a user thread under race condition between
the check and __copy_to_user operations, for example changing to a kernel
address, this will lead to Arbitrary kernel address writing(caused by
__copy_to_user() ).
I am looking forward to a reply on this, thank you!
_______________________________________________
Intel-gfx mailing list
[email protected]
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
