svn commit: r184263 - head/sys/dev/drm

Robert Noland rnoland at
Sat Oct 25 09:29:29 PDT 2008

Author: rnoland
Date: Sat Oct 25 16:29:28 2008
New Revision: 184263

  drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831)
  Olaf Kirch noticed that the i915_set_status_page() function of the i915
  kernel driver calls ioremap with an address offset that is supplied by
  userspace via ioctl. The function zeroes the mapped memory via memset
  and tells the hardware about the address. Turns out that access to that
  ioctl is not restricted to root so users could probably exploit that to
  do nasty things. We haven't tried to write actual exploit code though.
  It only affects the Intel G33 series and newer.
  Approved by:	bz (secteam)
  Obtained from:	Intel drm repo
  Security:	CVE-2008-3831


Modified: head/sys/dev/drm/i915_dma.c
--- head/sys/dev/drm/i915_dma.c	Sat Oct 25 14:01:29 2008	(r184262)
+++ head/sys/dev/drm/i915_dma.c	Sat Oct 25 16:29:28 2008	(r184263)
@@ -1228,7 +1228,7 @@ struct drm_ioctl_desc i915_ioctls[] = {
 	DRM_IOCTL_DEF(DRM_I915_GET_VBLANK_PIPE,  i915_vblank_pipe_get, DRM_AUTH ),
 	DRM_IOCTL_DEF(DRM_I915_VBLANK_SWAP, i915_vblank_swap, DRM_AUTH),
 	DRM_IOCTL_DEF(DRM_I915_MMIO, i915_mmio, DRM_AUTH),
-	DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH),
 #ifdef I915_HAVE_BUFFER
 	DRM_IOCTL_DEF(DRM_I915_EXECBUFFER, i915_execbuffer, DRM_AUTH),

More information about the svn-src-head mailing list