This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 621435 - (CVE-2010-2803) CVE-2010-2803 kernel: drm ioctls infoleak
CVE-2010-2803 kernel: drm ioctls infoleak
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 621436 621437 626319
  Show dependency treegraph
Reported: 2010-08-04 23:46 EDT by Eugene Teo (Security Response)
Modified: 2016-04-22 09:26 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-04-22 09:26:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:

Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2010-08-04 23:46:39 EDT
Description of problem:
There is a problem with the ioctl subsystem for drm, though it is most explicitly exposed by the intel GEM driver. Under driver-defined ioctls, drm does not sanitize the ioctl command, allowing the caller to specify how much memory should be kmalloc'd and copied back to the caller, regardless of what the driver ioctl actually does (it doesn't even need to succeed).


long drm_ioctl(struct file *filp,
              unsigned int cmd, unsigned long arg)
       unsigned int nr = DRM_IOCTL_NR(cmd);
       if ((nr >= DRM_COMMAND_BASE) && (nr < DRM_COMMAND_END) &&
           (nr < DRM_COMMAND_BASE + dev->driver->num_ioctls))
               ioctl = &dev->driver->ioctls[nr - DRM_COMMAND_BASE];
               if (cmd & (IOC_IN | IOC_OUT)) {
                       if (_IOC_SIZE(cmd) <= sizeof(stack_kdata)) {
                               kdata = stack_kdata;
                       } else {
                               kdata = kmalloc(_IOC_SIZE(cmd), GFP_KERNEL);
               retcode = func(dev, kdata, file_priv);
               if (cmd & IOC_OUT) {
                       if (copy_to_user((void __user *)arg, kdata,
                                        _IOC_SIZE(cmd)) != 0)
                               retcode = -EFAULT;

"cmd" is caller-controlled, and can do whatever it likes for _IOC_SIZE(cmd), IOC_IN and IOC_OUT, resulting in leakage of previously freed kernel heap memory contents up to 16K in size.
Comment 2 Eugene Teo (Security Response) 2010-08-04 23:54:15 EDT

Red Hat would like to thank Kees Cook for reporting this issue.
Comment 3 Eugene Teo (Security Response) 2010-08-04 23:58:16 EDT

This issue did not affect the version of Linux kernel as shipped with Red Hat
Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG as they did not include
support for GPU DRM.
Comment 5 Eugene Teo (Security Response) 2010-08-05 00:04:25 EDT
To exploit this, the user has to log in under X or otherwise has r/w access to the dri path (group "video").
Comment 10 errata-xmlrpc 2010-11-10 14:09:38 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842
Comment 11 errata-xmlrpc 2010-11-22 14:35:28 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842

Note You need to log in before you can comment on or make changes to this bug.