Bug 607039

Summary: CVE-2010-3448 kernel: thinkpad-acpi: lock down video output state access [mrg-1.3]
Product: Red Hat Enterprise MRG Reporter: Eugene Teo (Security Response) <eteo>
Component: realtime-kernelAssignee: John Kacur <jkacur>
Status: CLOSED CURRENTRELEASE QA Contact: David Sommerseth <davids>
Severity: medium Docs Contact:
Priority: high    
Version: DevelopmentCC: bhu, eteo, jkacur, lgoncalv, lwang, ovasik, williams
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 607035 Environment:
Last Closed: 2010-09-06 14:25:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 607035    
Bug Blocks: 607037, 607038, 652122    

Description Eugene Teo (Security Response) 2010-06-23 02:26:44 UTC 
+++ This bug was initially created as a clone of Bug #607035 +++

Description of problem:
Given the right combination of ThinkPad and X.org, just reading the video output control state is enough to hard-crash X.org.
    
Until the day I somehow find out a model or BIOS cut date to not provide this feature to ThinkPads that can do video switching through X RandR, change permissions so that only processes with CAP_SYS_ADMIN can access any sort of video output control state.
    
This bug could be considered a local DoS I suppose, as it allows any non-privledged local user to cause some versions of X.org to hard-crash some ThinkPads.
    
Reported-by: Jidanni <jidanni>
Signed-off-by: Henrique de Moraes Holschuh <hmh.br>
Cc: stable

Upstream commit:
http://git.kernel.org/linus/b525c06cdbd8a3963f0173ccd23f9147d4c384b5
Comment 3 John Kacur 2010-09-06 14:23:25 UTC 
The equivalent of b525c06cdbd8a3963f0173ccd23f9147d4c384b5
is c9438d3d949d4c5f88f630b647011b8381c63ae5
v2.6.33.1~38

So, this fix is already included in our base kernel.