This bug was fixed in the package linux - 4.15.0-76.86
---------------
linux (4.15.0-76.86) bionic; urgency=medium
* bionic/linux: 4.15.0-76.86 -proposed tracker (LP: #1860123)
* Integrate Intel SGX driver into linux-azure (LP: #1844245)
- [Packaging] Add systemd service to load intel_sgx
* [Regression] Bionic kernel 4.15.0-71.80 can not boot on ThunderX
(LP: #1853326) // Bionic kernel panic on Cavium ThunderX CN88XX
(LP: #1853485) // Cavium ThunderX CN88XX crashes on boot (LP: #1857074)
- arm64: Check for errata before evaluating cpu features
- arm64: add sentinel to kpti_safe_list
linux (4.15.0-75.85) bionic; urgency=medium
* bionic/linux: 4.15.0-75.85 -proposed tracker (LP: #1859705)
* use-after-free in i915_ppgtt_close (LP: #1859522) // CVE-2020-7053
- SAUCE: drm/i915: Fix use-after-free when destroying GEM context
* CVE-2019-14615
- drm/i915/gen9: Clear residual context state on context switch
* PAN is broken for execute-only user mappings on ARMv8 (LP: #1858815)
- arm64: Revert support for execute-only user mappings
* [Regression] usb usb2-port2: Cannot enable. Maybe the USB cable is bad?
(LP: #1856608)
- SAUCE: Revert "usb: handle warm-reset port requests on hub resume"
* Miscellaneous Ubuntu changes
- update dkms package versions
-- Marcelo Henrique Cerri <marcelo.ce...@canonical.com> Fri, 17 Jan
2020 10:59:22 -0300
** Changed in: linux (Ubuntu Bionic)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1859522
Title:
use-after-free in i915_ppgtt_close
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Bionic:
Fix Released
Status in linux source package in Disco:
Fix Released
Bug description:
[Impact]
Quan Luo and ycq from Codesafe Team of Legendsec at Qi'anxin Group
reported a use-after-free issue in the i915 driver. This issue has
been fixed in the upstream kernel starting in v5.2 with the following
commit:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7dc40713618c884bf07c030d1ab1f47a9dc1f310
The flaw was introduced in v4.14 with this change:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1acfc104cdf8a3408f0e83b4115d4419c6315005
The problem can be fixed by expanding the usage of struct_mutex to
include the GEM context lookup. A fix has been submitted to the
upstream stable list:
https://lore.kernel.org/stable/20200114183937.12224-1-tyhi...@canonical.com/T/#u
[Test Case]
Enable KASAN and exercise the affected code path using the PoC
provided by Quan Luo.
[Regression Potential]
Low. This approach was suggested by upstream and has been well tested.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1859522/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
