Red Hat Bugzilla – Bug 464502
CVE-2008-3831 kernel: i915 kernel drm driver arbitrary ioremap
Last modified: 2010-12-21 12:42:54 EST
Description of problem:
Olaf Kirch noticed that the i915_set_status_page() function of the i915 kernel driver calls ioremap with an address offset that is supplied by userspace via ioctl. The function zeroes the mapped memory via memset and tells the hardware about the address. Turns out that access to that ioctl is not restricted to root so users could probably exploit that to do nasty things. We haven't tried to
write actual exploit code though.
Created attachment 317979 [details]
Author: Matthias Hopf <email@example.com>
Date: Fri Sep 26 16:47:03 2008 +0200
Only allow access to DRM_I915_HWS_ADDR ioctl() for Xserver.
Created attachment 319200 [details]
Proposed backport patch for realtime kernel
The patch has been added to MRG's -83 kernel.
Public now via:
(In reply to comment #9)
> Public now via:
And this http://www.debian.org/security/2008/dsa-1655
kernel-188.8.131.52-49.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This was addressed via:
Red Hat Enterprise Linux version 5 (RHSA-2008:1017)
MRG Realtime for RHEL 5 Server (RHSA-2009:0009)