Description of problem: There is a problem with the ioctl subsystem for drm, though it is most explicitly exposed by the intel GEM driver. Under driver-defined ioctls, drm does not sanitize the ioctl command, allowing the caller to specify how much memory should be kmalloc'd and copied back to the caller, regardless of what the driver ioctl actually does (it doesn't even need to succeed). drivers/gpu/drm/drm_drv.c long drm_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) ... unsigned int nr = DRM_IOCTL_NR(cmd); ... if ((nr >= DRM_COMMAND_BASE) && (nr < DRM_COMMAND_END) && (nr < DRM_COMMAND_BASE + dev->driver->num_ioctls)) ioctl = &dev->driver->ioctls[nr - DRM_COMMAND_BASE]; ... if (cmd & (IOC_IN | IOC_OUT)) { if (_IOC_SIZE(cmd) <= sizeof(stack_kdata)) { kdata = stack_kdata; } else { kdata = kmalloc(_IOC_SIZE(cmd), GFP_KERNEL); ... } } ... retcode = func(dev, kdata, file_priv); ... if (cmd & IOC_OUT) { if (copy_to_user((void __user *)arg, kdata, _IOC_SIZE(cmd)) != 0) retcode = -EFAULT; } "cmd" is caller-controlled, and can do whatever it likes for _IOC_SIZE(cmd), IOC_IN and IOC_OUT, resulting in leakage of previously freed kernel heap memory contents up to 16K in size.
Acknowledgements: Red Hat would like to thank Kees Cook for reporting this issue.
Statement: This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG as they did not include support for GPU DRM.
To exploit this, the user has to log in under X or otherwise has r/w access to the dri path (group "video").
Fixes: http://git.kernel.org/?p=linux/kernel/git/airlied/drm-2.6.git;a=commitdiff;h=b9f0aee83335db1f3915f4e42a5e21b351740afd http://git.kernel.org/?p=linux/kernel/git/airlied/drm-2.6.git;a=commitdiff;h=1b2f1489633888d4a06028315dc19d65768a1c05
Upstream commit: http://git.kernel.org/linus/b9f0aee83335db1f3915f4e42a5e21b351740afd http://git.kernel.org/linus/2854eedae2ff35d95e8923bebdb942bbd537c54f http://git.kernel.org/linus/1b2f1489633888d4a06028315dc19d65768a1c05
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html