Bug 621435 (CVE-2010-2803)
| Summary: | CVE-2010-2803 kernel: drm ioctls infoleak | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | airlied, arozansk, bhu, jkacur, lgoncalv, lwang, peterm, security-response-team, tcallawa, williams |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-04-22 13:26:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 621436, 621437, 626319 | ||
| Bug Blocks: | |||
Acknowledgements: Red Hat would like to thank Kees Cook for reporting this issue. Statement: This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG as they did not include support for GPU DRM. To exploit this, the user has to log in under X or otherwise has r/w access to the dri path (group "video"). Fixes: http://git.kernel.org/?p=linux/kernel/git/airlied/drm-2.6.git;a=commitdiff;h=b9f0aee83335db1f3915f4e42a5e21b351740afd http://git.kernel.org/?p=linux/kernel/git/airlied/drm-2.6.git;a=commitdiff;h=1b2f1489633888d4a06028315dc19d65768a1c05 Upstream commit: http://git.kernel.org/linus/b9f0aee83335db1f3915f4e42a5e21b351740afd http://git.kernel.org/linus/2854eedae2ff35d95e8923bebdb942bbd537c54f http://git.kernel.org/linus/1b2f1489633888d4a06028315dc19d65768a1c05 This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html |
Description of problem: There is a problem with the ioctl subsystem for drm, though it is most explicitly exposed by the intel GEM driver. Under driver-defined ioctls, drm does not sanitize the ioctl command, allowing the caller to specify how much memory should be kmalloc'd and copied back to the caller, regardless of what the driver ioctl actually does (it doesn't even need to succeed). drivers/gpu/drm/drm_drv.c long drm_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) ... unsigned int nr = DRM_IOCTL_NR(cmd); ... if ((nr >= DRM_COMMAND_BASE) && (nr < DRM_COMMAND_END) && (nr < DRM_COMMAND_BASE + dev->driver->num_ioctls)) ioctl = &dev->driver->ioctls[nr - DRM_COMMAND_BASE]; ... if (cmd & (IOC_IN | IOC_OUT)) { if (_IOC_SIZE(cmd) <= sizeof(stack_kdata)) { kdata = stack_kdata; } else { kdata = kmalloc(_IOC_SIZE(cmd), GFP_KERNEL); ... } } ... retcode = func(dev, kdata, file_priv); ... if (cmd & IOC_OUT) { if (copy_to_user((void __user *)arg, kdata, _IOC_SIZE(cmd)) != 0) retcode = -EFAULT; } "cmd" is caller-controlled, and can do whatever it likes for _IOC_SIZE(cmd), IOC_IN and IOC_OUT, resulting in leakage of previously freed kernel heap memory contents up to 16K in size.