• Matthias Hopf's avatar
    drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831) · 4b408939
    Matthias Hopf authored
    Olaf Kirch noticed that the i915_set_status_page() function of the i915
    kernel driver calls ioremap with an address offset that is supplied by
    userspace via ioctl. The function zeroes the mapped memory via memset
    and tells the hardware about the address. Turns out that access to that
    ioctl is not restricted to root so users could probably exploit that to
    do nasty things. We haven't tried to write actual exploit code though.
    It only affects the Intel G33 series and newer.
    Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
i915_dma.c 25.1 KB