--- /dev/null
+From 4b40893918203ee1a1f6a114316c2a19c072e9bd Mon Sep 17 00:00:00 2001
+From: Matthias Hopf <mhopf@suse.de>
+Date: Sat, 18 Oct 2008 07:18:05 +1000
+Subject: drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831)
+
+From: Matthias Hopf <mhopf@suse.de>
+
+commit 4b40893918203ee1a1f6a114316c2a19c072e9bd upstream
+
+Olaf Kirch noticed that the i915_set_status_page() function of the i915
+kernel driver calls ioremap with an address offset that is supplied by
+userspace via ioctl. The function zeroes the mapped memory via memset
+and tells the hardware about the address. Turns out that access to that
+ioctl is not restricted to root so users could probably exploit that to
+do nasty things. We haven't tried to write actual exploit code though.
+
+It only affects the Intel G33 series and newer.
+
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/drm/i915_dma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/drm/i915_dma.c
++++ b/drivers/char/drm/i915_dma.c
+@@ -836,7 +836,7 @@ struct drm_ioctl_desc i915_ioctls[] = {
+ DRM_IOCTL_DEF(DRM_I915_SET_VBLANK_PIPE, i915_vblank_pipe_set, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY ),
+ DRM_IOCTL_DEF(DRM_I915_GET_VBLANK_PIPE, i915_vblank_pipe_get, DRM_AUTH ),
+ DRM_IOCTL_DEF(DRM_I915_VBLANK_SWAP, i915_vblank_swap, DRM_AUTH),
+- DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH),
++ DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY),
+ };
+
+ int i915_max_ioctl = DRM_ARRAY_SIZE(i915_ioctls);
--- /dev/null
+From 9754a5b840a209bc1f192d59f63e81b698a55ac8 Mon Sep 17 00:00:00 2001
+From: Ingo Molnar <mingo@elte.hu>
+Date: Fri, 22 Aug 2008 08:22:23 +0200
+Subject: x86: work around MTRR mask setting, v2
+
+From: Ingo Molnar <mingo@elte.hu>
+
+commit 9754a5b840a209bc1f192d59f63e81b698a55ac8 upstream
+
+improve the debug printout:
+
+- make it actually display something
+- print it only once
+
+would be nice to have a WARN_ONCE() facility, to feed such things to
+kerneloops.org.
+
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Cc: S.Çağlar Onur <caglar@pardus.org.tr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/cpu/mtrr/generic.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/cpu/mtrr/generic.c
++++ b/arch/x86/kernel/cpu/mtrr/generic.c
+@@ -251,7 +251,12 @@ static void generic_get_mtrr(unsigned in
+ tmp |= ~((1<<(hi - 1)) - 1);
+
+ if (tmp != mask_lo) {
+- WARN_ON("mtrr: your BIOS has set up an incorrect mask, fixing it up.\n");
++ static int once = 1;
++
++ if (once) {
++ printk(KERN_INFO "mtrr: your BIOS has set up an incorrect mask, fixing it up.\n");
++ once = 0;
++ }
+ mask_lo = tmp;
+ }
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
