Bug 680000 (CVE-2011-1016)

Summary: CVE-2011-1016 kernel: drm/radeon/kms: check AA resolve registers on r300
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: arozansk, bhu, dhoward, jkacur, kernel-mgr, kmcmartin, lgoncalv, lwang, rt-maint, tcallawa, vkrizan, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-29 13:57:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 680001, 680002, 680003    
Bug Blocks:    

Description Eugene Teo (Security Response) 2011-02-24 03:39:07 UTC 
Check values passed in to AARESOLVE_OFFSET on r300. It can be used to write
arbitrary data to VRAM, GTT, etc. This is specific to a range of GPUs only.

drm/radeon/kms: check AA resolve registers on r300
http://git.kernel.org/linus/fff1ce4dc6113b6fdc4e3a815ca5fd229408f8ef

[PATCH] drm/radeon: fix regression with AA resolve checking
https://patchwork.kernel.org/patch/576101/ ->
http://git.kernel.org/linus/45e4039c3aea597ede44a264cea322908cdedfe9
Comment 3 Eugene Teo (Security Response) 2011-02-25 01:15:58 UTC 
Both patches have been committed to the upstream kernel.
Comment 4 Vincent Danen 2011-02-28 17:56:15 UTC 
This was assigned CVE-2011-1016:

The Radeon GPU drivers in the Linux kernel before 2.6.38-rc5 do not properly validate data related to the AA resolve registers, which allows local users to write to arbitrary memory locations associated with (1) Video RAM (aka VRAM) or (2) the Graphics Translation Table (GTT) via crafted values.

http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.38-rc5
Comment 5 errata-xmlrpc 2011-05-10 18:10:45 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0498 https://rhn.redhat.com/errata/RHSA-2011-0498.html
Comment 6 Eugene Teo (Security Response) 2011-07-19 05:48:13 UTC 
Statement:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG as they did not backport the upstream commits fff1ce4d and 45e4039c that introduced this issue. This has been addressed in Red Hat Enterprise Linux 6 via https://rhn.redhat.com/errata/RHSA-2011-0498.html.