From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
Jake Edge <jake@lwn.net>, Eugene Teo <eteo@redhat.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Dave Airlie <airlied@redhat.com>
Subject: [patch 15/17] drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831)
Date: Sat, 18 Oct 2008 11:34:31 -0700 [thread overview]
Message-ID: <20081018183431.GP14035@suse.de> (raw)
In-Reply-To: <20081018183334.GA14035@suse.de>
[-- Attachment #1: drm-i915-fix-ioremap-of-a-user-address-for-non-root.patch --]
[-- Type: text/plain, Size: 1472 bytes --]
2.6.27-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Matthias Hopf <mhopf@suse.de>
commit 4b40893918203ee1a1f6a114316c2a19c072e9bd upstream
Olaf Kirch noticed that the i915_set_status_page() function of the i915
kernel driver calls ioremap with an address offset that is supplied by
userspace via ioctl. The function zeroes the mapped memory via memset
and tells the hardware about the address. Turns out that access to that
ioctl is not restricted to root so users could probably exploit that to
do nasty things. We haven't tried to write actual exploit code though.
It only affects the Intel G33 series and newer.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/gpu/drm/i915/i915_dma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/i915/i915_dma.c
+++ b/drivers/gpu/drm/i915/i915_dma.c
@@ -836,7 +836,7 @@ struct drm_ioctl_desc i915_ioctls[] = {
DRM_IOCTL_DEF(DRM_I915_SET_VBLANK_PIPE, i915_vblank_pipe_set, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY ),
DRM_IOCTL_DEF(DRM_I915_GET_VBLANK_PIPE, i915_vblank_pipe_get, DRM_AUTH ),
DRM_IOCTL_DEF(DRM_I915_VBLANK_SWAP, i915_vblank_swap, DRM_AUTH),
- DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH),
+ DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY),
};
int i915_max_ioctl = DRM_ARRAY_SIZE(i915_ioctls);
--
next prev parent reply other threads:[~2008-10-18 19:08 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20081018182721.521723254@mini.kroah.org>
2008-10-18 18:33 ` [patch 00/17] 2.6.27-stable review Greg KH
2008-10-18 18:33 ` [patch 01/17] fbcon_set_all_vcs: fix kernel crash when switching the rotated consoles Greg KH
2008-10-18 18:33 ` [patch 02/17] modules: fix module "notes" kobject leak Greg KH
2008-10-18 18:34 ` [patch 03/17] Driver core: Fix cleanup in device_create_vargs() Greg KH
2008-10-18 18:34 ` [patch 04/17] Driver core: Clarify device cleanup Greg KH
2008-10-18 18:34 ` [patch 05/17] ath9k/mac80211: disallow fragmentation in ath9k, report to userspace Greg KH
2008-10-18 18:34 ` [patch 06/17] md: Fix rdev_size_store with size == 0 Greg KH
2008-10-18 18:34 ` [patch 07/17] xfs: fix remount rw with unrecognized options Greg KH
2008-10-18 18:34 ` [patch 08/17] ath9k: fix oops on trying to hold the wrong spinlock Greg KH
2008-10-18 18:34 ` [patch 09/17] OHCI: Allow broken controllers to auto-stop Greg KH
2008-10-18 18:34 ` [patch 10/17] USB: OHCI: fix endless polling behavior Greg KH
2008-10-18 18:34 ` [patch 11/17] USB: Fix s3c2410_udc usb speed handling Greg KH
2008-10-18 18:34 ` [patch 12/17] USB: EHCI: log a warning if ehci-hcd is not loaded first Greg KH
2008-10-18 18:34 ` [patch 13/17] usb gadget: cdc ethernet notification bugfix Greg KH
2008-10-18 18:34 ` [patch 14/17] usb: musb_hdrc build fixes Greg KH
2008-10-18 18:34 ` Greg KH [this message]
2008-10-18 18:34 ` [patch 16/17] DVB: au0828: add support for another USB id for Hauppauge HVR950Q Greg KH
2008-10-18 18:34 ` [patch 17/17] DVB: sms1xxx: support two new revisions of the Hauppauge WinTV MiniStick Greg KH
2008-10-18 18:36 ` [patch 00/17] 2.6.27-stable review Greg KH
2008-10-23 1:01 ` Josh Boyer
2008-10-23 4:53 ` [stable] " Greg KH
2008-10-23 10:33 ` Josh Boyer
2008-10-23 15:33 ` Greg KH
2008-10-23 15:47 ` Josh Boyer
2008-10-23 15:51 ` Greg KH
2008-10-23 5:06 ` Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081018183431.GP14035@suse.de \
--to=gregkh@suse.de \
--cc=airlied@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=eteo@redhat.com \
--cc=jake@lwn.net \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rbranco@la.checkpoint.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=w@1wt.eu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox