Описание
In the Linux kernel, the following vulnerability has been resolved:
drm/i915: mark requests for GuC virtual engines to avoid use-after-free
References to i915_requests may be trapped by userspace inside a
sync_file or dmabuf (dma-resv) and held indefinitely across different
proceses. To counter-act the memory leaks, we try to not to keep
references from the request past their completion.
On the other side on fence release we need to know if rq->engine
is valid and points to hw engine (true for non-virtual requests).
To make it possible extra bit has been added to rq->execution_mask,
for marking virtual engines.
(cherry picked from commit 280410677af763f3871b93e794a199cfcf6fb580)
A use-after-free vulnerability was found in the Linux kernel Intel i915 graphics driver's GuC virtual engine request handling. A local user with access to GPU rendering can create requests on GuC virtual engines and trap references via sync_file or dmabuf, causing fence release operations to access freed engine structures when validating whether rq->engine points to a valid hardware engine, which results in memory corruption and potential privilege escalation or denial of service.
Отчет
Fence release code needs to determine if rq->engine is valid for non-virtual requests, but the check was insufficient for GuC virtual engines. Userspace can hold i915_request references indefinitely across processes via sync_file or dmabuf (dma-resv). The driver attempts to free request resources after completion to prevent memory leaks, but on fence release it must validate the engine pointer. For GuC virtual engines, the validation was incorrect, allowing use-after-free when the engine structure was freed but still referenced.
Меры по смягчению последствий
To mitigate this issue, prevent the i915 module from loading. See https://access.redhat.com/solutions/41278 for instructions on blacklisting kernel modules.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | kernel | Not affected | ||
| Red Hat Enterprise Linux 6 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Affected | ||
| Red Hat Enterprise Linux 8 | kernel-rt | Fixed | RHSA-2026:0760 | 19.01.2026 |
| Red Hat Enterprise Linux 8 | kernel | Fixed | RHSA-2023:2951 | 16.05.2023 |
| Red Hat Enterprise Linux 8 | kernel | Fixed | RHSA-2026:0759 | 19.01.2026 |
| Red Hat Enterprise Linux 8.8 Telecommunications Update Service | kernel | Fixed | RHSA-2026:1445 | 28.01.2026 |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | kernel | Fixed | RHSA-2026:1445 | 28.01.2026 |
Показывать по
Дополнительная информация
Статус:
EPSS
7 High
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: drm/i915: mark requests for GuC virtual engines to avoid use-after-free References to i915_requests may be trapped by userspace inside a sync_file or dmabuf (dma-resv) and held indefinitely across different proceses. To counter-act the memory leaks, we try to not to keep references from the request past their completion. On the other side on fence release we need to know if rq->engine is valid and points to hw engine (true for non-virtual requests). To make it possible extra bit has been added to rq->execution_mask, for marking virtual engines. (cherry picked from commit 280410677af763f3871b93e794a199cfcf6fb580)
In the Linux kernel, the following vulnerability has been resolved: drm/i915: mark requests for GuC virtual engines to avoid use-after-free References to i915_requests may be trapped by userspace inside a sync_file or dmabuf (dma-resv) and held indefinitely across different proceses. To counter-act the memory leaks, we try to not to keep references from the request past their completion. On the other side on fence release we need to know if rq->engine is valid and points to hw engine (true for non-virtual requests). To make it possible extra bit has been added to rq->execution_mask, for marking virtual engines. (cherry picked from commit 280410677af763f3871b93e794a199cfcf6fb580)
In the Linux kernel, the following vulnerability has been resolved: d ...
In the Linux kernel, the following vulnerability has been resolved: drm/i915: mark requests for GuC virtual engines to avoid use-after-free References to i915_requests may be trapped by userspace inside a sync_file or dmabuf (dma-resv) and held indefinitely across different proceses. To counter-act the memory leaks, we try to not to keep references from the request past their completion. On the other side on fence release we need to know if rq->engine is valid and points to hw engine (true for non-virtual requests). To make it possible extra bit has been added to rq->execution_mask, for marking virtual engines. (cherry picked from commit 280410677af763f3871b93e794a199cfcf6fb580)
EPSS
7 High
CVSS3