464502 – (CVE-2008-3831) CVE-2008-3831 kernel: i915 kernel drm driver arbitrary ioremap

Bug 464502 (CVE-2008-3831) - CVE-2008-3831 kernel: i915 kernel drm driver arbitrary ioremap

Summary: CVE-2008-3831 kernel: i915 kernel drm driver arbitrary ioremap

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2008-3831
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	464507 464508 464509
Blocks:
TreeView+	depends on / blocked

Reported:	2008-09-29 13:33 UTC by Eugene Teo (Security Response)
Modified:	2019-09-29 12:26 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-12-21 17:42:54 UTC
Embargoed:

Attachments	(Terms of Use)
Proposed patch (858 bytes, patch) 2008-09-29 13:34 UTC, Eugene Teo (Security Response)	no flags	Details \| Diff
Proposed backport patch for realtime kernel (831 bytes, patch) 2008-10-02 08:23 UTC, Eugene Teo (Security Response)	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2008:1017	0	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2008-12-16 07:33:56 UTC
Red Hat Product Errata	RHSA-2009:0009	0	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2009-01-22 10:43:54 UTC

Description Eugene Teo (Security Response) 2008-09-29 13:33:26 UTC

Description of problem:
Olaf Kirch noticed that the i915_set_status_page() function of the i915 kernel driver calls ioremap with an address offset that is supplied by userspace via ioctl. The function zeroes the mapped memory via memset and tells the hardware about the address. Turns out that access to that ioctl is not restricted to root so users could probably exploit that to do nasty things. We haven't tried to
write actual exploit code though.

Comment 1 Eugene Teo (Security Response) 2008-09-29 13:34:55 UTC

Created attachment 317979 [details]
Proposed patch

commit 6dbfadaae00a1238c01a6a04b02cb484cd9072e7
Author: Matthias Hopf <mhopf>
Date:   Fri Sep 26 16:47:03 2008 +0200

    Only allow access to DRM_I915_HWS_ADDR ioctl() for Xserver.

Comment 3 Eugene Teo (Security Response) 2008-10-02 08:23:42 UTC

Created attachment 319200 [details]
Proposed backport patch for realtime kernel

Comment 5 Luis Claudio R. Goncalves 2008-10-02 23:45:03 UTC

The patch has been added to MRG's -83 kernel.

Comment 9 Tomas Hoger 2008-10-18 16:08:01 UTC

Public now via:

http://lkml.org/lkml/2008/10/17/449
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=4b40893918203ee1a1f6a114316c2a19c072e9bd

Comment 10 Eugene Teo (Security Response) 2008-10-21 01:21:49 UTC

(In reply to comment #9)
> Public now via:
> 
> http://lkml.org/lkml/2008/10/17/449
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=4b40893918203ee1a1f6a114316c2a19c072e9bd

And this http://www.debian.org/security/2008/dsa-1655

Thanks Tomas.

Eugene

Comment 11 Fedora Update System 2008-10-23 16:37:52 UTC

kernel-2.6.26.6-49.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Vincent Danen 2010-12-21 17:42:54 UTC

This was addressed via:

Red Hat Enterprise Linux version 5 (RHSA-2008:1017)
MRG Realtime for RHEL 5 Server (RHSA-2009:0009)

Note You need to log in before you can comment on or make changes to this bug.