From f5768bda2880f4f0d2fdd7dfcc6a8953a7efc36f Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Fri, 17 Oct 2008 16:46:19 -0700
Subject: [PATCH] one more .27 patch

---
 ...remap-of-a-user-address-for-non-root.patch | 36 +++++++++++++++++++
 queue-2.6.27/series                           |  1 +
 2 files changed, 37 insertions(+)
 create mode 100644 queue-2.6.27/drm-i915-fix-ioremap-of-a-user-address-for-non-root.patch

diff --git a/queue-2.6.27/drm-i915-fix-ioremap-of-a-user-address-for-non-root.patch b/queue-2.6.27/drm-i915-fix-ioremap-of-a-user-address-for-non-root.patch
new file mode 100644
index 00000000000..21dc13daa70
--- /dev/null
+++ b/queue-2.6.27/drm-i915-fix-ioremap-of-a-user-address-for-non-root.patch
@@ -0,0 +1,36 @@
+From 4b40893918203ee1a1f6a114316c2a19c072e9bd Mon Sep 17 00:00:00 2001
+From: Matthias Hopf <mhopf@suse.de>
+Date: Sat, 18 Oct 2008 07:18:05 +1000
+Subject: drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831)
+
+From: Matthias Hopf <mhopf@suse.de>
+
+commit 4b40893918203ee1a1f6a114316c2a19c072e9bd upstream
+
+Olaf Kirch noticed that the i915_set_status_page() function of the i915
+kernel driver calls ioremap with an address offset that is supplied by
+userspace via ioctl. The function zeroes the mapped memory via memset
+and tells the hardware about the address. Turns out that access to that
+ioctl is not restricted to root so users could probably exploit that to
+do nasty things. We haven't tried to write actual exploit code though.
+
+It only affects the Intel G33 series and newer.
+
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/i915/i915_dma.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/i915_dma.c
++++ b/drivers/gpu/drm/i915/i915_dma.c
+@@ -836,7 +836,7 @@ struct drm_ioctl_desc i915_ioctls[] = {
+ 	DRM_IOCTL_DEF(DRM_I915_SET_VBLANK_PIPE,  i915_vblank_pipe_set, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY ),
+ 	DRM_IOCTL_DEF(DRM_I915_GET_VBLANK_PIPE,  i915_vblank_pipe_get, DRM_AUTH ),
+ 	DRM_IOCTL_DEF(DRM_I915_VBLANK_SWAP, i915_vblank_swap, DRM_AUTH),
+-	DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH),
++	DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY),
+ };
+ 
+ int i915_max_ioctl = DRM_ARRAY_SIZE(i915_ioctls);
diff --git a/queue-2.6.27/series b/queue-2.6.27/series
index 26d7b10ae89..039e25025c1 100644
--- a/queue-2.6.27/series
+++ b/queue-2.6.27/series
@@ -12,3 +12,4 @@ usb-fix-s3c2410_udc-usb-speed-handling.patch
 usb-ehci-log-a-warning-if-ehci-hcd-is-not-loaded-first.patch
 usb-gadget-cdc-ethernet-notification-bugfix.patch
 usb-musb_hdrc-build-fixes.patch
+drm-i915-fix-ioremap-of-a-user-address-for-non-root.patch
-- 
2.47.3