kernel-fxtec-pro1x/drivers/gpu/drm
Matthias Hopf 4b40893918 drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831)
Olaf Kirch noticed that the i915_set_status_page() function of the i915
kernel driver calls ioremap with an address offset that is supplied by
userspace via ioctl. The function zeroes the mapped memory via memset
and tells the hardware about the address. Turns out that access to that
ioctl is not restricted to root so users could probably exploit that to
do nasty things. We haven't tried to write actual exploit code though.

It only affects the Intel G33 series and newer.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2008-10-18 07:18:05 +10:00
..
i810 drm: reorganise drm tree to be more future proof. 2008-07-14 10:45:01 +10:00
i830 drm: reorganise drm tree to be more future proof. 2008-07-14 10:45:01 +10:00
i915 drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831) 2008-10-18 07:18:05 +10:00
mga drm: kill drm_device->irq 2008-10-18 07:10:53 +10:00
r128 drm: kill drm_device->irq 2008-10-18 07:10:53 +10:00
radeon radeon: fix PCI bus mastering support enables. 2008-10-18 07:10:54 +10:00
savage drm: reorganise drm tree to be more future proof. 2008-07-14 10:45:01 +10:00
sis SiS DRM: fix a pointer cast warning 2008-10-18 07:10:10 +10:00
tdfx drm: reorganise drm tree to be more future proof. 2008-07-14 10:45:01 +10:00
via drm: kill drm_device->irq 2008-10-18 07:10:53 +10:00
ati_pcigart.c drm: reorganise drm tree to be more future proof. 2008-07-14 10:45:01 +10:00
drm_agpsupport.c i915: Map status page cached for chips with GTT-based HWS location. 2008-10-18 07:10:53 +10:00
drm_auth.c drm: reorganise drm tree to be more future proof. 2008-07-14 10:45:01 +10:00
drm_bufs.c drm: reorganise drm tree to be more future proof. 2008-07-14 10:45:01 +10:00
drm_cache.c drm: wbinvd is cache coherent. 2008-10-18 07:10:53 +10:00
drm_context.c drm: reorganise drm tree to be more future proof. 2008-07-14 10:45:01 +10:00
drm_dma.c drm: reorganise drm tree to be more future proof. 2008-07-14 10:45:01 +10:00
drm_drawable.c drm: reorganise drm tree to be more future proof. 2008-07-14 10:45:01 +10:00
drm_drv.c drm: Add GEM ("graphics execution manager") to i915 driver. 2008-10-18 07:10:12 +10:00
drm_fops.c drm: Add GEM ("graphics execution manager") to i915 driver. 2008-10-18 07:10:12 +10:00
drm_gem.c DRM: Return -EBADF on bad object in flink, and return curent name if it exists. 2008-10-18 07:10:52 +10:00
drm_hashtab.c drm: reorganise drm tree to be more future proof. 2008-07-14 10:45:01 +10:00
drm_ioc32.c drm: reorganise drm tree to be more future proof. 2008-07-14 10:45:01 +10:00
drm_ioctl.c drm: reorganise drm tree to be more future proof. 2008-07-14 10:45:01 +10:00
drm_irq.c drm: kill drm_device->irq 2008-10-18 07:10:53 +10:00
drm_lock.c drm: don't set the signal blocker on the master process. 2008-08-25 06:35:33 +10:00
drm_memory.c drm: Add GEM ("graphics execution manager") to i915 driver. 2008-10-18 07:10:12 +10:00
drm_mm.c drm: Add GEM ("graphics execution manager") to i915 driver. 2008-10-18 07:10:12 +10:00
drm_pci.c drm: reorganise drm tree to be more future proof. 2008-07-14 10:45:01 +10:00
drm_proc.c drm: Add GEM ("graphics execution manager") to i915 driver. 2008-10-18 07:10:12 +10:00
drm_scatter.c drm: reorganise drm tree to be more future proof. 2008-07-14 10:45:01 +10:00
drm_sman.c drm: reorganise drm tree to be more future proof. 2008-07-14 10:45:01 +10:00
drm_stub.c drm: kill drm_device->irq 2008-10-18 07:10:53 +10:00
drm_sysfs.c drm: fix sysfs error path. 2008-10-18 07:10:11 +10:00
drm_vm.c drm: reorganise drm tree to be more future proof. 2008-07-14 10:45:01 +10:00
Kconfig drm: make CONFIG_DRM depend on CONFIG_SHMEM. 2008-10-18 07:10:54 +10:00
Makefile drm: Add GEM ("graphics execution manager") to i915 driver. 2008-10-18 07:10:12 +10:00
README.drm drm: reorganise drm tree to be more future proof. 2008-07-14 10:45:01 +10:00

************************************************************
* For the very latest on DRI development, please see:      *
*     http://dri.freedesktop.org/                          *
************************************************************

The Direct Rendering Manager (drm) is a device-independent kernel-level
device driver that provides support for the XFree86 Direct Rendering
Infrastructure (DRI).

The DRM supports the Direct Rendering Infrastructure (DRI) in four major
ways:

    1. The DRM provides synchronized access to the graphics hardware via
       the use of an optimized two-tiered lock.

    2. The DRM enforces the DRI security policy for access to the graphics
       hardware by only allowing authenticated X11 clients access to
       restricted regions of memory.

    3. The DRM provides a generic DMA engine, complete with multiple
       queues and the ability to detect the need for an OpenGL context
       switch.

    4. The DRM is extensible via the use of small device-specific modules
       that rely extensively on the API exported by the DRM module.


Documentation on the DRI is available from:
    http://dri.freedesktop.org/wiki/Documentation
    http://sourceforge.net/project/showfiles.php?group_id=387
    http://dri.sourceforge.net/doc/

For specific information about kernel-level support, see:

    The Direct Rendering Manager, Kernel Support for the Direct Rendering
    Infrastructure
    http://dri.sourceforge.net/doc/drm_low_level.html

    Hardware Locking for the Direct Rendering Infrastructure
    http://dri.sourceforge.net/doc/hardware_locking_low_level.html

    A Security Analysis of the Direct Rendering Infrastructure
    http://dri.sourceforge.net/doc/security_low_level.html