From owner-cvs-src-old@FreeBSD.ORG  Sat Oct 25 18:19:07 2008
Return-Path: <owner-cvs-src-old@FreeBSD.ORG>
Delivered-To: cvs-src-old@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8ED661065670
	for <cvs-src-old@freebsd.org>; Sat, 25 Oct 2008 18:19:07 +0000 (UTC)
	(envelope-from rnoland@FreeBSD.org)
Received: from repoman.freebsd.org (repoman.freebsd.org
	[IPv6:2001:4f8:fff6::29])
	by mx1.freebsd.org (Postfix) with ESMTP id 7C04A8FC1D
	for <cvs-src-old@freebsd.org>; Sat, 25 Oct 2008 18:19:07 +0000 (UTC)
	(envelope-from rnoland@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id m9PIJ715001881
	for <cvs-src-old@freebsd.org>; Sat, 25 Oct 2008 18:19:07 GMT
	(envelope-from rnoland@repoman.freebsd.org)
Received: (from svn2cvs@localhost)
	by repoman.freebsd.org (8.14.3/8.14.3/Submit) id m9PIJ7tJ001880
	for cvs-src-old@freebsd.org; Sat, 25 Oct 2008 18:19:07 GMT
	(envelope-from rnoland@repoman.freebsd.org)
Message-Id: <200810251819.m9PIJ7tJ001880@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: svn2cvs set sender to
	rnoland@repoman.freebsd.org using -f
From: Robert Noland <rnoland@FreeBSD.org>
Date: Sat, 25 Oct 2008 16:29:28 +0000 (UTC)
To: cvs-src-old@freebsd.org
X-FreeBSD-CVS-Branch: HEAD
Subject: cvs commit: src/sys/dev/drm i915_dma.c
X-BeenThere: cvs-src-old@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: **OBSOLETE** CVS commit messages for the src tree
	<cvs-src-old.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src-old>,
	<mailto:cvs-src-old-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-src-old>
List-Post: <mailto:cvs-src-old@freebsd.org>
List-Help: <mailto:cvs-src-old-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src-old>,
	<mailto:cvs-src-old-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Oct 2008 18:19:07 -0000

rnoland     2008-10-25 16:29:28 UTC

  FreeBSD src repository

  Modified files:
    sys/dev/drm          i915_dma.c 
  Log:
  SVN rev 184263 on 2008-10-25 16:29:28Z by rnoland
  
  drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831)
  
  Olaf Kirch noticed that the i915_set_status_page() function of the i915
  kernel driver calls ioremap with an address offset that is supplied by
  userspace via ioctl. The function zeroes the mapped memory via memset
  and tells the hardware about the address. Turns out that access to that
  ioctl is not restricted to root so users could probably exploit that to
  do nasty things. We haven't tried to write actual exploit code though.
  
  It only affects the Intel G33 series and newer.
  
  Approved by:    bz (secteam)
  Obtained from:  Intel drm repo
  Security:       CVE-2008-3831
  
  Revision  Changes    Path
  1.11      +1 -1      src/sys/dev/drm/i915_dma.c