Date: Sat, 25 Oct 2008 16:29:28 +0000 (UTC) From: Robert Noland <rnoland@FreeBSD.org> To: cvs-src-old@freebsd.org Subject: cvs commit: src/sys/dev/drm i915_dma.c Message-ID: <200810251819.m9PIJ7tJ001880@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
rnoland 2008-10-25 16:29:28 UTC
FreeBSD src repository
Modified files:
sys/dev/drm i915_dma.c
Log:
SVN rev 184263 on 2008-10-25 16:29:28Z by rnoland
drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831)
Olaf Kirch noticed that the i915_set_status_page() function of the i915
kernel driver calls ioremap with an address offset that is supplied by
userspace via ioctl. The function zeroes the mapped memory via memset
and tells the hardware about the address. Turns out that access to that
ioctl is not restricted to root so users could probably exploit that to
do nasty things. We haven't tried to write actual exploit code though.
It only affects the Intel G33 series and newer.
Approved by: bz (secteam)
Obtained from: Intel drm repo
Security: CVE-2008-3831
Revision Changes Path
1.11 +1 -1 src/sys/dev/drm/i915_dma.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200810251819.m9PIJ7tJ001880>