From owner-svn-src-all@FreeBSD.ORG Sat Oct 25 16:29:28 2008 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D436D106566B; Sat, 25 Oct 2008 16:29:28 +0000 (UTC) (envelope-from rnoland@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id C22EA8FC17; Sat, 25 Oct 2008 16:29:28 +0000 (UTC) (envelope-from rnoland@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id m9PGTS6X037247; Sat, 25 Oct 2008 16:29:28 GMT (envelope-from rnoland@svn.freebsd.org) Received: (from rnoland@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id m9PGTSrj037246; Sat, 25 Oct 2008 16:29:28 GMT (envelope-from rnoland@svn.freebsd.org) Message-Id: <200810251629.m9PGTSrj037246@svn.freebsd.org> From: Robert Noland Date: Sat, 25 Oct 2008 16:29:28 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r184263 - head/sys/dev/drm X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Oct 2008 16:29:29 -0000 Author: rnoland Date: Sat Oct 25 16:29:28 2008 New Revision: 184263 URL: http://svn.freebsd.org/changeset/base/184263 Log: drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831) Olaf Kirch noticed that the i915_set_status_page() function of the i915 kernel driver calls ioremap with an address offset that is supplied by userspace via ioctl. The function zeroes the mapped memory via memset and tells the hardware about the address. Turns out that access to that ioctl is not restricted to root so users could probably exploit that to do nasty things. We haven't tried to write actual exploit code though. It only affects the Intel G33 series and newer. Approved by: bz (secteam) Obtained from: Intel drm repo Security: CVE-2008-3831 Modified: head/sys/dev/drm/i915_dma.c Modified: head/sys/dev/drm/i915_dma.c ============================================================================== --- head/sys/dev/drm/i915_dma.c Sat Oct 25 14:01:29 2008 (r184262) +++ head/sys/dev/drm/i915_dma.c Sat Oct 25 16:29:28 2008 (r184263) @@ -1228,7 +1228,7 @@ struct drm_ioctl_desc i915_ioctls[] = { DRM_IOCTL_DEF(DRM_I915_GET_VBLANK_PIPE, i915_vblank_pipe_get, DRM_AUTH ), DRM_IOCTL_DEF(DRM_I915_VBLANK_SWAP, i915_vblank_swap, DRM_AUTH), DRM_IOCTL_DEF(DRM_I915_MMIO, i915_mmio, DRM_AUTH), - DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH), + DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), #ifdef I915_HAVE_BUFFER DRM_IOCTL_DEF(DRM_I915_EXECBUFFER, i915_execbuffer, DRM_AUTH), #endif