Bug 607039 - CVE-2010-3448 kernel: thinkpad-acpi: lock down video output state access [mrg-1.3]
Summary: CVE-2010-3448 kernel: thinkpad-acpi: lock down video output state access [mrg...
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: realtime-kernel   
(Show other bugs)
Version: Development
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: John Kacur
QA Contact: David Sommerseth
Depends On: 607035
Blocks: 607037 607038 CVE-2010-3448
TreeView+ depends on / blocked
Reported: 2010-06-23 02:26 UTC by Eugene Teo (Security Response)
Modified: 2016-05-22 23:30 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 607035
Last Closed: 2010-09-06 14:25:52 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Eugene Teo (Security Response) 2010-06-23 02:26:44 UTC
+++ This bug was initially created as a clone of Bug #607035 +++

Description of problem:
Given the right combination of ThinkPad and X.org, just reading the video output control state is enough to hard-crash X.org.
Until the day I somehow find out a model or BIOS cut date to not provide this feature to ThinkPads that can do video switching through X RandR, change permissions so that only processes with CAP_SYS_ADMIN can access any sort of video output control state.
This bug could be considered a local DoS I suppose, as it allows any non-privledged local user to cause some versions of X.org to hard-crash some ThinkPads.
Reported-by: Jidanni <jidanni@jidanni.org>
Signed-off-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
Cc: stable@kernel.org

Upstream commit:

Comment 3 John Kacur 2010-09-06 14:23:25 UTC
The equivalent of b525c06cdbd8a3963f0173ccd23f9147d4c384b5
is c9438d3d949d4c5f88f630b647011b8381c63ae5

So, this fix is already included in our base kernel.

Note You need to log in before you can comment on or make changes to this bug.