CVE-2008-3831 / svn commit: r184263 - head/sys/dev/drm (fwd)

Bjoern A. Zeeb bz at FreeBSD.org
Sat Oct 25 22:03:54 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

the commit referenced below fixes a problem arosen from an insufficient
(missing) privilege check.
If you are running a HEAD kernel from Aug 23 2008 (r182080) or later
with drm/i915drm you want to update your kernel.

The problem is only present in HEAD thus there will be no security
advisory.


Regards,

Bjoern A. Zeeb
FreeBSD Security Team

- -- 
Bjoern A. Zeeb              Stop bit received. Insert coin for new game.

- ---------- Forwarded message ----------
Date: Sat, 25 Oct 2008 16:29:28 +0000 (UTC)
From: Robert Noland <rnoland at FreeBSD.org>
To: src-committers at freebsd.org, svn-src-all at freebsd.org,
     svn-src-head at freebsd.org
Subject: svn commit: r184263 - head/sys/dev/drm

Author: rnoland
Date: Sat Oct 25 16:29:28 2008
New Revision: 184263
URL: http://svn.freebsd.org/changeset/base/184263

Log:
   drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831)

   Olaf Kirch noticed that the i915_set_status_page() function of the i915
   kernel driver calls ioremap with an address offset that is supplied by
   userspace via ioctl. The function zeroes the mapped memory via memset
   and tells the hardware about the address. Turns out that access to that
   ioctl is not restricted to root so users could probably exploit that to
   do nasty things. We haven't tried to write actual exploit code though.

   It only affects the Intel G33 series and newer.

   Approved by:	bz (secteam)
   Obtained from:	Intel drm repo
   Security:	CVE-2008-3831

Modified:
   head/sys/dev/drm/i915_dma.c

Modified: head/sys/dev/drm/i915_dma.c
==============================================================================
- --- head/sys/dev/drm/i915_dma.c	Sat Oct 25 14:01:29 2008	(r184262)
+++ head/sys/dev/drm/i915_dma.c	Sat Oct 25 16:29:28 2008	(r184263)
@@ -1228,7 +1228,7 @@ struct drm_ioctl_desc i915_ioctls[] = {
  	DRM_IOCTL_DEF(DRM_I915_GET_VBLANK_PIPE,  i915_vblank_pipe_get, DRM_AUTH ),
  	DRM_IOCTL_DEF(DRM_I915_VBLANK_SWAP, i915_vblank_swap, DRM_AUTH),
  	DRM_IOCTL_DEF(DRM_I915_MMIO, i915_mmio, DRM_AUTH),
- -	DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH),
+	DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY),
  #ifdef I915_HAVE_BUFFER
  	DRM_IOCTL_DEF(DRM_I915_EXECBUFFER, i915_execbuffer, DRM_AUTH),
  #endif
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.2 (FreeBSD)

iD8DBQFJA5MKK1i4+DzPGEIRAp0NAJ9cGyIwyTLp4hYvbwYMll7cROkmKQCghNvb
sy2LhCFWcEzfad7oEP1qU4M=
=RXrx
-----END PGP SIGNATURE-----

More information about the freebsd-security mailing list