Bug 464502 - (CVE-2008-3831) CVE-2008-3831 kernel: i915 kernel drm driver arbitrary ioremap
CVE-2008-3831 kernel: i915 kernel drm driver arbitrary ioremap
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,reported=20080929,so...
: Security
Depends On: 464507 464508 464509
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-29 09:33 EDT by Eugene Teo (Security Response)
Modified: 2010-12-21 12:42 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-21 12:42:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch (858 bytes, patch)
2008-09-29 09:34 EDT, Eugene Teo (Security Response)
no flags Details | Diff
Proposed backport patch for realtime kernel (831 bytes, patch)
2008-10-02 04:23 EDT, Eugene Teo (Security Response)
no flags Details | Diff

  None (edit)
Description Eugene Teo (Security Response) 2008-09-29 09:33:26 EDT
Description of problem:
Olaf Kirch noticed that the i915_set_status_page() function of the i915 kernel driver calls ioremap with an address offset that is supplied by userspace via ioctl. The function zeroes the mapped memory via memset and tells the hardware about the address. Turns out that access to that ioctl is not restricted to root so users could probably exploit that to do nasty things. We haven't tried to
write actual exploit code though.
Comment 1 Eugene Teo (Security Response) 2008-09-29 09:34:55 EDT
Created attachment 317979 [details]
Proposed patch

commit 6dbfadaae00a1238c01a6a04b02cb484cd9072e7
Author: Matthias Hopf <mhopf@suse.de>
Date:   Fri Sep 26 16:47:03 2008 +0200

    Only allow access to DRM_I915_HWS_ADDR ioctl() for Xserver.
Comment 3 Eugene Teo (Security Response) 2008-10-02 04:23:42 EDT
Created attachment 319200 [details]
Proposed backport patch for realtime kernel
Comment 5 Luis Claudio R. Goncalves 2008-10-02 19:45:03 EDT
The patch has been added to MRG's -83 kernel.
Comment 11 Fedora Update System 2008-10-23 12:37:52 EDT
kernel-2.6.26.6-49.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Vincent Danen 2010-12-21 12:42:54 EST
This was addressed via:

Red Hat Enterprise Linux version 5 (RHSA-2008:1017)
MRG Realtime for RHEL 5 Server (RHSA-2009:0009)

Note You need to log in before you can comment on or make changes to this bug.