linux/drivers/gpu/drm/i915
Matthias Hopf 4b40893918 drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831)
Olaf Kirch noticed that the i915_set_status_page() function of the i915
kernel driver calls ioremap with an address offset that is supplied by
userspace via ioctl. The function zeroes the mapped memory via memset
and tells the hardware about the address. Turns out that access to that
ioctl is not restricted to root so users could probably exploit that to
do nasty things. We haven't tried to write actual exploit code though.

It only affects the Intel G33 series and newer.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2008-10-18 07:18:05 +10:00
..
i915_dma.c drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831) 2008-10-18 07:18:05 +10:00
i915_drv.c drm: Add GEM ("graphics execution manager") to i915 driver. 2008-10-18 07:10:12 +10:00
i915_drv.h i915: Map status page cached for chips with GTT-based HWS location. 2008-10-18 07:10:53 +10:00
i915_gem_debug.c drm: Add GEM ("graphics execution manager") to i915 driver. 2008-10-18 07:10:12 +10:00
i915_gem_proc.c drm: Add GEM ("graphics execution manager") to i915 driver. 2008-10-18 07:10:12 +10:00
i915_gem_tiling.c i915: GM45 has GM965-style MCH setup. 2008-10-18 07:10:53 +10:00
i915_gem.c i915: Don't run retire work handler while suspended 2008-10-18 07:10:53 +10:00
i915_ioc32.c drm: reorganise drm tree to be more future proof. 2008-07-14 10:45:01 +10:00
i915_irq.c drm: Increment dev_priv->irq_received so i915_gem_interrupts count works. 2008-10-18 07:10:53 +10:00
i915_mem.c drm: reorganise drm tree to be more future proof. 2008-07-14 10:45:01 +10:00
i915_opregion.c Add Intel ACPI IGD OpRegion support 2008-10-18 07:10:10 +10:00
i915_reg.h drm: Add GEM ("graphics execution manager") to i915 driver. 2008-10-18 07:10:12 +10:00
i915_suspend.c new chip name is GM45 2008-10-18 07:10:11 +10:00
Makefile drm: Add GEM ("graphics execution manager") to i915 driver. 2008-10-18 07:10:12 +10:00