Bug 464502 (CVE-2008-3831)

Summary: CVE-2008-3831 kernel: i915 kernel drm driver arbitrary ioremap
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: airlied, anton, bhu, dhoward, jpirko, lgoncalv, lwang, security-response-team, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-21 17:42:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 464507, 464508, 464509    
Bug Blocks:    
Attachments:
Description Flags
Proposed patch
none
Proposed backport patch for realtime kernel none

Description Eugene Teo (Security Response) 2008-09-29 13:33:26 UTC 
Description of problem:
Olaf Kirch noticed that the i915_set_status_page() function of the i915 kernel driver calls ioremap with an address offset that is supplied by userspace via ioctl. The function zeroes the mapped memory via memset and tells the hardware about the address. Turns out that access to that ioctl is not restricted to root so users could probably exploit that to do nasty things. We haven't tried to
write actual exploit code though.
Comment 1 Eugene Teo (Security Response) 2008-09-29 13:34:55 UTC 
Created attachment 317979 [details]
Proposed patch

commit 6dbfadaae00a1238c01a6a04b02cb484cd9072e7
Author: Matthias Hopf <mhopf>
Date:   Fri Sep 26 16:47:03 2008 +0200

    Only allow access to DRM_I915_HWS_ADDR ioctl() for Xserver.
Comment 3 Eugene Teo (Security Response) 2008-10-02 08:23:42 UTC 
Created attachment 319200 [details]
Proposed backport patch for realtime kernel
Comment 5 Luis Claudio R. Goncalves 2008-10-02 23:45:03 UTC 
The patch has been added to MRG's -83 kernel.
Comment 9 Tomas Hoger 2008-10-18 16:08:01 UTC 
Public now via:

http://lkml.org/lkml/2008/10/17/449
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=4b40893918203ee1a1f6a114316c2a19c072e9bd
Comment 10 Eugene Teo (Security Response) 2008-10-21 01:21:49 UTC 
(In reply to comment #9)
> Public now via:
> 
> http://lkml.org/lkml/2008/10/17/449
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=4b40893918203ee1a1f6a114316c2a19c072e9bd

And this http://www.debian.org/security/2008/dsa-1655

Thanks Tomas.

Eugene
Comment 11 Fedora Update System 2008-10-23 16:37:52 UTC 
kernel-2.6.26.6-49.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Vincent Danen 2010-12-21 17:42:54 UTC 
This was addressed via:

Red Hat Enterprise Linux version 5 (RHSA-2008:1017)
MRG Realtime for RHEL 5 Server (RHSA-2009:0009)