Bug 621435 (CVE-2010-2803) - CVE-2010-2803 kernel: drm ioctls infoleak
Summary: CVE-2010-2803 kernel: drm ioctls infoleak
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2010-2803
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 621436 621437 626319
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-08-05 03:46 UTC by Eugene Teo (Security Response)
Modified: 2023-05-12 14:52 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-04-22 13:26:20 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0842 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2010-11-22 19:34:20 UTC

Description Eugene Teo (Security Response) 2010-08-05 03:46:39 UTC
Description of problem:
There is a problem with the ioctl subsystem for drm, though it is most explicitly exposed by the intel GEM driver. Under driver-defined ioctls, drm does not sanitize the ioctl command, allowing the caller to specify how much memory should be kmalloc'd and copied back to the caller, regardless of what the driver ioctl actually does (it doesn't even need to succeed).

drivers/gpu/drm/drm_drv.c

long drm_ioctl(struct file *filp,
              unsigned int cmd, unsigned long arg)
...
       unsigned int nr = DRM_IOCTL_NR(cmd);
...
       if ((nr >= DRM_COMMAND_BASE) && (nr < DRM_COMMAND_END) &&
           (nr < DRM_COMMAND_BASE + dev->driver->num_ioctls))
               ioctl = &dev->driver->ioctls[nr - DRM_COMMAND_BASE];
...
               if (cmd & (IOC_IN | IOC_OUT)) {
                       if (_IOC_SIZE(cmd) <= sizeof(stack_kdata)) {
                               kdata = stack_kdata;
                       } else {
                               kdata = kmalloc(_IOC_SIZE(cmd), GFP_KERNEL);
...
                       }
               }
...
               retcode = func(dev, kdata, file_priv);
...
               if (cmd & IOC_OUT) {
                       if (copy_to_user((void __user *)arg, kdata,
                                        _IOC_SIZE(cmd)) != 0)
                               retcode = -EFAULT;
               }



"cmd" is caller-controlled, and can do whatever it likes for _IOC_SIZE(cmd), IOC_IN and IOC_OUT, resulting in leakage of previously freed kernel heap memory contents up to 16K in size.

Comment 2 Eugene Teo (Security Response) 2010-08-05 03:54:15 UTC
Acknowledgements:

Red Hat would like to thank Kees Cook for reporting this issue.

Comment 3 Eugene Teo (Security Response) 2010-08-05 03:58:16 UTC
Statement:

This issue did not affect the version of Linux kernel as shipped with Red Hat
Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG as they did not include
support for GPU DRM.

Comment 5 Eugene Teo (Security Response) 2010-08-05 04:04:25 UTC
To exploit this, the user has to log in under X or otherwise has r/w access to the dri path (group "video").

Comment 10 errata-xmlrpc 2010-11-10 19:09:38 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html

Comment 11 errata-xmlrpc 2010-11-22 19:35:28 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html


Note You need to log in before you can comment on or make changes to this bug.