Bug 621435 - (CVE-2010-2803) CVE-2010-2803 kernel: drm ioctls infoleak
CVE-2010-2803 kernel: drm ioctls infoleak
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20100817,reported=20100805,sou...
: Security
Depends On: 621436 621437 626319
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-04 23:46 EDT by Eugene Teo (Security Response)
Modified: 2016-04-22 09:26 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-04-22 09:26:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2010-08-04 23:46:39 EDT
Description of problem:
There is a problem with the ioctl subsystem for drm, though it is most explicitly exposed by the intel GEM driver. Under driver-defined ioctls, drm does not sanitize the ioctl command, allowing the caller to specify how much memory should be kmalloc'd and copied back to the caller, regardless of what the driver ioctl actually does (it doesn't even need to succeed).

drivers/gpu/drm/drm_drv.c

long drm_ioctl(struct file *filp,
              unsigned int cmd, unsigned long arg)
...
       unsigned int nr = DRM_IOCTL_NR(cmd);
...
       if ((nr >= DRM_COMMAND_BASE) && (nr < DRM_COMMAND_END) &&
           (nr < DRM_COMMAND_BASE + dev->driver->num_ioctls))
               ioctl = &dev->driver->ioctls[nr - DRM_COMMAND_BASE];
...
               if (cmd & (IOC_IN | IOC_OUT)) {
                       if (_IOC_SIZE(cmd) <= sizeof(stack_kdata)) {
                               kdata = stack_kdata;
                       } else {
                               kdata = kmalloc(_IOC_SIZE(cmd), GFP_KERNEL);
...
                       }
               }
...
               retcode = func(dev, kdata, file_priv);
...
               if (cmd & IOC_OUT) {
                       if (copy_to_user((void __user *)arg, kdata,
                                        _IOC_SIZE(cmd)) != 0)
                               retcode = -EFAULT;
               }



"cmd" is caller-controlled, and can do whatever it likes for _IOC_SIZE(cmd), IOC_IN and IOC_OUT, resulting in leakage of previously freed kernel heap memory contents up to 16K in size.
Comment 2 Eugene Teo (Security Response) 2010-08-04 23:54:15 EDT
Acknowledgements:

Red Hat would like to thank Kees Cook for reporting this issue.
Comment 3 Eugene Teo (Security Response) 2010-08-04 23:58:16 EDT
Statement:

This issue did not affect the version of Linux kernel as shipped with Red Hat
Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG as they did not include
support for GPU DRM.
Comment 5 Eugene Teo (Security Response) 2010-08-05 00:04:25 EDT
To exploit this, the user has to log in under X or otherwise has r/w access to the dri path (group "video").
Comment 10 errata-xmlrpc 2010-11-10 14:09:38 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html
Comment 11 errata-xmlrpc 2010-11-22 14:35:28 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html

Note You need to log in before you can comment on or make changes to this bug.