1
linux/drivers/gpu/drm
Matthias Hopf 4b40893918 drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831)
Olaf Kirch noticed that the i915_set_status_page() function of the i915
kernel driver calls ioremap with an address offset that is supplied by
userspace via ioctl. The function zeroes the mapped memory via memset
and tells the hardware about the address. Turns out that access to that
ioctl is not restricted to root so users could probably exploit that to
do nasty things. We haven't tried to write actual exploit code though.

It only affects the Intel G33 series and newer.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2008-10-18 07:18:05 +10:00
..
i810
i830
i915 drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831) 2008-10-18 07:18:05 +10:00
mga drm: kill drm_device->irq 2008-10-18 07:10:53 +10:00
r128 drm: kill drm_device->irq 2008-10-18 07:10:53 +10:00
radeon radeon: fix PCI bus mastering support enables. 2008-10-18 07:10:54 +10:00
savage
sis SiS DRM: fix a pointer cast warning 2008-10-18 07:10:10 +10:00
tdfx
via drm: kill drm_device->irq 2008-10-18 07:10:53 +10:00
ati_pcigart.c
drm_agpsupport.c i915: Map status page cached for chips with GTT-based HWS location. 2008-10-18 07:10:53 +10:00
drm_auth.c
drm_bufs.c
drm_cache.c drm: wbinvd is cache coherent. 2008-10-18 07:10:53 +10:00
drm_context.c
drm_dma.c
drm_drawable.c
drm_drv.c drm: Add GEM ("graphics execution manager") to i915 driver. 2008-10-18 07:10:12 +10:00
drm_fops.c drm: Add GEM ("graphics execution manager") to i915 driver. 2008-10-18 07:10:12 +10:00
drm_gem.c DRM: Return -EBADF on bad object in flink, and return curent name if it exists. 2008-10-18 07:10:52 +10:00
drm_hashtab.c
drm_ioc32.c
drm_ioctl.c
drm_irq.c drm: kill drm_device->irq 2008-10-18 07:10:53 +10:00
drm_lock.c drm: don't set the signal blocker on the master process. 2008-08-25 06:35:33 +10:00
drm_memory.c drm: Add GEM ("graphics execution manager") to i915 driver. 2008-10-18 07:10:12 +10:00
drm_mm.c drm: Add GEM ("graphics execution manager") to i915 driver. 2008-10-18 07:10:12 +10:00
drm_pci.c
drm_proc.c drm: Add GEM ("graphics execution manager") to i915 driver. 2008-10-18 07:10:12 +10:00
drm_scatter.c
drm_sman.c
drm_stub.c drm: kill drm_device->irq 2008-10-18 07:10:53 +10:00
drm_sysfs.c drm: fix sysfs error path. 2008-10-18 07:10:11 +10:00
drm_vm.c
Kconfig drm: make CONFIG_DRM depend on CONFIG_SHMEM. 2008-10-18 07:10:54 +10:00
Makefile drm: Add GEM ("graphics execution manager") to i915 driver. 2008-10-18 07:10:12 +10:00
README.drm

************************************************************
* For the very latest on DRI development, please see:      *
*     http://dri.freedesktop.org/                          *
************************************************************

The Direct Rendering Manager (drm) is a device-independent kernel-level
device driver that provides support for the XFree86 Direct Rendering
Infrastructure (DRI).

The DRM supports the Direct Rendering Infrastructure (DRI) in four major
ways:

    1. The DRM provides synchronized access to the graphics hardware via
       the use of an optimized two-tiered lock.

    2. The DRM enforces the DRI security policy for access to the graphics
       hardware by only allowing authenticated X11 clients access to
       restricted regions of memory.

    3. The DRM provides a generic DMA engine, complete with multiple
       queues and the ability to detect the need for an OpenGL context
       switch.

    4. The DRM is extensible via the use of small device-specific modules
       that rely extensively on the API exported by the DRM module.


Documentation on the DRI is available from:
    http://dri.freedesktop.org/wiki/Documentation
    http://sourceforge.net/project/showfiles.php?group_id=387
    http://dri.sourceforge.net/doc/

For specific information about kernel-level support, see:

    The Direct Rendering Manager, Kernel Support for the Direct Rendering
    Infrastructure
    http://dri.sourceforge.net/doc/drm_low_level.html

    Hardware Locking for the Direct Rendering Infrastructure
    http://dri.sourceforge.net/doc/hardware_locking_low_level.html

    A Security Analysis of the Direct Rendering Infrastructure
    http://dri.sourceforge.net/doc/security_low_level.html