{"id":"ASB-A-135368228","details":"In i915_gem_execbuffer2_ioctl of i915_gem_execbuffer.c, there is a possible arbitrary kernel memory write due to a missing validation of a userspace pointer. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-135368228","CVE-2018-20669"],"modified":"2026-03-11T05:56:18.881264Z","published":"2020-07-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2020-07-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/594cc251fdd0d231d342d88b2fdff4bc42fb0690"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2020-07-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"spl":"2020-07-05","types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/kernel/common/+/594cc251fdd0d231d342d88b2fdff4bc42fb0690"],"vanir_signatures":[{"target":{"function":"strncpy_from_user","file":"lib/strncpy_from_user.c"},"digest":{"function_hash":"400817462396315618127383903223325265","length":450},"source":"https://android.googlesource.com/kernel/common/+/594cc251fdd0d231d342d88b2fdff4bc42fb0690","signature_version":"v1","signature_type":"Function","deprecated":false,"id":"ASB-A-135368228-286c45f8"},{"target":{"function":"strnlen_user","file":"lib/strnlen_user.c"},"digest":{"function_hash":"68090361726321189053984993318968432620","length":353},"source":"https://android.googlesource.com/kernel/common/+/594cc251fdd0d231d342d88b2fdff4bc42fb0690","signature_version":"v1","signature_type":"Function","deprecated":false,"id":"ASB-A-135368228-41919602"},{"target":{"file":"kernel/exit.c"},"digest":{"threshold":0.9,"line_hashes":["301793275486824344367794203097786741813","102988567970991509911455608070440664204","62087505603880536755319851132085632346","215021906692261901270681321476312701005","67401028612326933470622350994445848838","215586405974874088585699713914725195748","301793275486824344367794203097786741813","102988567970991509911455608070440664204","62087505603880536755319851132085632346","215021906692261901270681321476312701005","67401028612326933470622350994445848838","215586405974874088585699713914725195748"]},"source":"https://android.googlesource.com/kernel/common/+/594cc251fdd0d231d342d88b2fdff4bc42fb0690","signature_version":"v1","signature_type":"Line","deprecated":false,"id":"ASB-A-135368228-4e5bf4fb"},{"target":{"file":"arch/x86/include/asm/uaccess.h"},"digest":{"threshold":0.9,"line_hashes":["232028027986071802307249056167629624847","101741051838569941211007432008240308871","226565891450945516587800283176920414"]},"source":"https://android.googlesource.com/kernel/common/+/594cc251fdd0d231d342d88b2fdff4bc42fb0690","signature_version":"v1","signature_type":"Line","deprecated":false,"id":"ASB-A-135368228-56e1a7ec"},{"target":{"file":"lib/strncpy_from_user.c"},"digest":{"threshold":0.9,"line_hashes":["218022533227338726032329426921560767208","137942850219935925455327831530557818023","80541316664184116869923029033572957138","60561915142399814488834988941746010422","123525920890028007356417567625638805132","271195609283421035949361219831426229931","39184847628127583315438858453386709687"]},"source":"https://android.googlesource.com/kernel/common/+/594cc251fdd0d231d342d88b2fdff4bc42fb0690","signature_version":"v1","signature_type":"Line","deprecated":false,"id":"ASB-A-135368228-57cbe140"},{"target":{"function":"COMPAT_SYSCALL_DEFINE5","file":"kernel/exit.c"},"digest":{"function_hash":"161782424011367324522201384309831448963","length":962},"source":"https://android.googlesource.com/kernel/common/+/594cc251fdd0d231d342d88b2fdff4bc42fb0690","signature_version":"v1","signature_type":"Function","deprecated":false,"id":"ASB-A-135368228-5d591cbe"},{"target":{"function":"eb_copy_relocations","file":"drivers/gpu/drm/i915/i915_gem_execbuffer.c"},"digest":{"function_hash":"90893435251128681422669557853531682811","length":1240},"source":"https://android.googlesource.com/kernel/common/+/594cc251fdd0d231d342d88b2fdff4bc42fb0690","signature_version":"v1","signature_type":"Function","deprecated":false,"id":"ASB-A-135368228-6b458526"},{"target":{"function":"compat_get_bitmap","file":"kernel/compat.c"},"digest":{"function_hash":"154366867923671533612107094974457337412","length":586},"source":"https://android.googlesource.com/kernel/common/+/594cc251fdd0d231d342d88b2fdff4bc42fb0690","signature_version":"v1","signature_type":"Function","deprecated":false,"id":"ASB-A-135368228-7b8e9daa"},{"target":{"file":"lib/strnlen_user.c"},"digest":{"threshold":0.9,"line_hashes":["28753910527890398429155628937748401289","88255200070039553500928015676306213639","96976392715654179192670499544011966251","46811759026676158653595696424697518491","213360730056040620491420435481845118594","309664431301100582699492956019389484622","74179071256697267931849937505900386267"]},"source":"https://android.googlesource.com/kernel/common/+/594cc251fdd0d231d342d88b2fdff4bc42fb0690","signature_version":"v1","signature_type":"Line","deprecated":false,"id":"ASB-A-135368228-7e59e0e0"},{"target":{"file":"kernel/compat.c"},"digest":{"threshold":0.9,"line_hashes":["118893384689130072144087209496881372223","234039337514851006561512442585312447880","101516614282764592504035395470523621229","106735922113113865280917134505946497615","18386945575918201229826480636158424542","210569225136584335750370450469637248112","118893384689130072144087209496881372223","234039337514851006561512442585312447880","101516614282764592504035395470523621229","106735922113113865280917134505946497615","49859743504563330794551454427122425777","269365552827766514839575326448491315684"]},"source":"https://android.googlesource.com/kernel/common/+/594cc251fdd0d231d342d88b2fdff4bc42fb0690","signature_version":"v1","signature_type":"Line","deprecated":false,"id":"ASB-A-135368228-8be2e773"},{"target":{"function":"compat_put_bitmap","file":"kernel/compat.c"},"digest":{"function_hash":"115877470744406940500836715527564044470","length":568},"source":"https://android.googlesource.com/kernel/common/+/594cc251fdd0d231d342d88b2fdff4bc42fb0690","signature_version":"v1","signature_type":"Function","deprecated":false,"id":"ASB-A-135368228-9e06e0ba"},{"target":{"file":"drivers/gpu/drm/i915/i915_gem_execbuffer.c"},"digest":{"threshold":0.9,"line_hashes":["122493765503606359477130812823671555898","94652218836112744307968883406309058435","193137173227543583514496588598312738195","251250042594426313574327667970291785962","117526506907837341952913343302241645153","275119994724402740229238148493030663420","221948311057522641890568928933523118333","153186835061866607804432263621120210933"]},"source":"https://android.googlesource.com/kernel/common/+/594cc251fdd0d231d342d88b2fdff4bc42fb0690","signature_version":"v1","signature_type":"Line","deprecated":false,"id":"ASB-A-135368228-a0f0ca3d"},{"target":{"function":"SYSCALL_DEFINE5","file":"kernel/exit.c"},"digest":{"function_hash":"144372160533408814895396248617853295473","length":873},"source":"https://android.googlesource.com/kernel/common/+/594cc251fdd0d231d342d88b2fdff4bc42fb0690","signature_version":"v1","signature_type":"Function","deprecated":false,"id":"ASB-A-135368228-c6d05a1a"},{"target":{"function":"i915_gem_execbuffer2_ioctl","file":"drivers/gpu/drm/i915/i915_gem_execbuffer.c"},"digest":{"function_hash":"283650863692651573154452340659572963107","length":1405},"source":"https://android.googlesource.com/kernel/common/+/594cc251fdd0d231d342d88b2fdff4bc42fb0690","signature_version":"v1","signature_type":"Function","deprecated":false,"id":"ASB-A-135368228-d588bb6f"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv-test/ASB-A-135368228.json"}}],"schema_version":"1.7.5"}