Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20100121104600.0ef09f3b@tanana.suse.de>
Date: Thu, 21 Jan 2010 10:46:00 +0100
From: Ludwig Nussel <ludwig.nussel@...e.de>
To: oss-security@...ts.openwall.com,
	Jerome Glisse <jglisse@...hat.com>
Subject: Re: CVE request - kernel: drm/radeon: r6xx/r7xx
 possible security issue, system ram access

Eugene Teo wrote:
> On 01/21/2010 04:44 PM, Eugene Teo wrote:
> > Quoting from the patch description:
> > "This patch workaround a possible security issue which can allow user to
> > abuse drm on r6xx/r7xx hw to access any system ram memory. This patch
> > doesn't break userspace, it detect "valid" old use of CB_COLOR[0-7]_FRAG
> [...]
> > The attack is theoretical. To exploit this you need access to the drm
> > device file which is usually set to 666 to allow users to have 3D
> > acceleration.
> 
> Sorry, correction, you need to be root to open the drm device file. 

You lost me. Do you mean the driver itself checks for CAP_SYS_ADMIN for this
particular operation? It wouldn't make much sense to set the device to 666 or
have udev put ACLs on it otherwise.

$ grep drm /lib/udev/rules.d/70-acl.rules 
SUBSYSTEM=="drm", KERNEL=="card*", ENV{ACL_MANAGE}="1"

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.