Bug 464502 (CVE-2008-3831) - CVE-2008-3831 kernel: i915 kernel drm driver arbitrary ioremap
Summary: CVE-2008-3831 kernel: i915 kernel drm driver arbitrary ioremap
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-3831
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Embargoed464507 Embargoed464508 Embargoed464509
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-09-29 13:33 UTC by Eugene Teo (Security Response)
Modified: 2019-09-29 12:26 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-21 17:42:54 UTC

Attachments (Terms of Use)
Proposed patch (858 bytes, patch)
2008-09-29 13:34 UTC, Eugene Teo (Security Response) 		no flags Details | Diff
Proposed backport patch for realtime kernel (831 bytes, patch)
2008-10-02 08:23 UTC, Eugene Teo (Security Response) 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:1017 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-12-16 07:33:56 UTC
Red Hat Product Errata RHSA-2009:0009 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-01-22 10:43:54 UTC

Description Eugene Teo (Security Response) 2008-09-29 13:33:26 UTC 
Description of problem:
Olaf Kirch noticed that the i915_set_status_page() function of the i915 kernel driver calls ioremap with an address offset that is supplied by userspace via ioctl. The function zeroes the mapped memory via memset and tells the hardware about the address. Turns out that access to that ioctl is not restricted to root so users could probably exploit that to do nasty things. We haven't tried to
write actual exploit code though.
Comment 1 Eugene Teo (Security Response) 2008-09-29 13:34:55 UTC 
Created attachment 317979 [details]
Proposed patch

commit 6dbfadaae00a1238c01a6a04b02cb484cd9072e7
Author: Matthias Hopf <mhopf>
Date:   Fri Sep 26 16:47:03 2008 +0200

    Only allow access to DRM_I915_HWS_ADDR ioctl() for Xserver.
Comment 3 Eugene Teo (Security Response) 2008-10-02 08:23:42 UTC 
Created attachment 319200 [details]
Proposed backport patch for realtime kernel
Comment 5 Luis Claudio R. Goncalves 2008-10-02 23:45:03 UTC 
The patch has been added to MRG's -83 kernel.
Comment 9 Tomas Hoger 2008-10-18 16:08:01 UTC 
Public now via:

http://lkml.org/lkml/2008/10/17/449
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=4b40893918203ee1a1f6a114316c2a19c072e9bd
Comment 10 Eugene Teo (Security Response) 2008-10-21 01:21:49 UTC 
(In reply to comment #9)
> Public now via:
> 
> http://lkml.org/lkml/2008/10/17/449
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=4b40893918203ee1a1f6a114316c2a19c072e9bd

And this http://www.debian.org/security/2008/dsa-1655

Thanks Tomas.

Eugene
Comment 11 Fedora Update System 2008-10-23 16:37:52 UTC 
kernel-2.6.26.6-49.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Vincent Danen 2010-12-21 17:42:54 UTC 
This was addressed via:

Red Hat Enterprise Linux version 5 (RHSA-2008:1017)
MRG Realtime for RHEL 5 Server (RHSA-2009:0009)
Note You need to log in before you can comment on or make changes to this bug.