| From 4b40893918203ee1a1f6a114316c2a19c072e9bd Mon Sep 17 00:00:00 2001 |
| From: Matthias Hopf <mhopf@suse.de> |
| Date: Sat, 18 Oct 2008 07:18:05 +1000 |
| Subject: drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831) |
| |
| From: Matthias Hopf <mhopf@suse.de> |
| |
| commit 4b40893918203ee1a1f6a114316c2a19c072e9bd upstream |
| |
| Olaf Kirch noticed that the i915_set_status_page() function of the i915 |
| kernel driver calls ioremap with an address offset that is supplied by |
| userspace via ioctl. The function zeroes the mapped memory via memset |
| and tells the hardware about the address. Turns out that access to that |
| ioctl is not restricted to root so users could probably exploit that to |
| do nasty things. We haven't tried to write actual exploit code though. |
| |
| It only affects the Intel G33 series and newer. |
| |
| Signed-off-by: Dave Airlie <airlied@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| drivers/char/drm/i915_dma.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/drivers/char/drm/i915_dma.c |
| +++ b/drivers/char/drm/i915_dma.c |
| @@ -836,7 +836,7 @@ struct drm_ioctl_desc i915_ioctls[] = { |
| DRM_IOCTL_DEF(DRM_I915_SET_VBLANK_PIPE, i915_vblank_pipe_set, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY ), |
| DRM_IOCTL_DEF(DRM_I915_GET_VBLANK_PIPE, i915_vblank_pipe_get, DRM_AUTH ), |
| DRM_IOCTL_DEF(DRM_I915_VBLANK_SWAP, i915_vblank_swap, DRM_AUTH), |
| - DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH), |
| + DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), |
| }; |
| |
| int i915_max_ioctl = DRM_ARRAY_SIZE(i915_ioctls); |