summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthias Hopf <mhopf@suse.de>2008-10-25 12:11:44 -0400
committerRobert Noland <rnoland@2hip.net>2008-10-25 12:15:50 -0400
commit1d930fc75b99a89fc77d35d8f95f2877cfd5d7f0 (patch)
tree7f3817e37a5ca74d83c95d5e86d72f01ff3e30ee
parentb7d54b1dba8eba24da1b9cdd2116a26b98365b81 (diff)
drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831)
Olaf Kirch noticed that the i915_set_status_page() function of the i915 kernel driver calls ioremap with an address offset that is supplied by userspace via ioctl. The function zeroes the mapped memory via memset and tells the hardware about the address. Turns out that access to that ioctl is not restricted to root so users could probably exploit that to do nasty things. We haven't tried to write actual exploit code though. It only affects the Intel G33 series and newer.
-rw-r--r--shared-core/i915_dma.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/shared-core/i915_dma.c b/shared-core/i915_dma.c
index 619e6ac2..93bfcba5 100644
--- a/shared-core/i915_dma.c
+++ b/shared-core/i915_dma.c
@@ -1225,7 +1225,7 @@ struct drm_ioctl_desc i915_ioctls[] = {
DRM_IOCTL_DEF(DRM_I915_GET_VBLANK_PIPE, i915_vblank_pipe_get, DRM_AUTH ),
DRM_IOCTL_DEF(DRM_I915_VBLANK_SWAP, i915_vblank_swap, DRM_AUTH),
DRM_IOCTL_DEF(DRM_I915_MMIO, i915_mmio, DRM_AUTH),
- DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH),
+ DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY),
#ifdef I915_HAVE_BUFFER
DRM_IOCTL_DEF(DRM_I915_EXECBUFFER, i915_execbuffer, DRM_AUTH),
#endif