[kernel] r16486 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/x86 patches/series

Dann Frazier dannf at alioth.debian.org
Mon Oct 25 02:21:30 UTC 2010 

Author: dannf
Date: Mon Oct 25 02:21:28 2010
New Revision: 16486

Log:
thinkpad-acpi: lock down video output state access (CVE-2010-3448)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/thinkpad-acpi-lock-down-video-output-state-access.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/25lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Oct 25 02:21:18 2010	(r16485)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Oct 25 02:21:28 2010	(r16486)
@@ -8,6 +8,7 @@
   * sctp: Do not reset the packet during sctp_packet_config() (CVE-2010-3432)
   * Fix pktcdvd ioctl dev_minor range check (CVE-2010-3437)
   * ALSA: prevent heap corruption in snd_ctl_new() (CVE-2010-3442)
+  * thinkpad-acpi: lock down video output state access (CVE-2010-3448)
 
  -- dann frazier <dannf at debian.org>  Thu, 30 Sep 2010 21:42:24 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/thinkpad-acpi-lock-down-video-output-state-access.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/thinkpad-acpi-lock-down-video-output-state-access.patch	Mon Oct 25 02:21:28 2010	(r16486)
@@ -0,0 +1,95 @@
+commit 013d46c61ea18bec76c436b441a93690b0c74b48
+Author: Henrique de Moraes Holschuh <hmh at hmh.eng.br>
+Date:   Thu Feb 25 22:22:22 2010 -0300
+
+    [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+    
+    thinkpad-acpi: lock down video output state access
+    
+    Given the right combination of ThinkPad and X.org, just reading the
+    video output control state is enough to hard-crash X.org.
+    
+    Until the day I somehow find out a model or BIOS cut date to not
+    provide this feature to ThinkPads that can do video switching through
+    X RandR, change permissions so that only processes with CAP_SYS_ADMIN
+    can access any sort of video output control state.
+    
+    This bug could be considered a local DoS I suppose, as it allows any
+    non-privledged local user to cause some versions of X.org to
+    hard-crash some ThinkPads.
+    
+    Reported-by: Jidanni <jidanni at jidanni.org>
+    Signed-off-by: Henrique de Moraes Holschuh <hmh at hmh.eng.br>
+    Cc: stable at kernel.org
+
+diff --git a/Documentation/laptops/thinkpad-acpi.txt b/Documentation/laptops/thinkpad-acpi.txt
+index 64b3f14..aea8fcd 100644
+--- a/Documentation/laptops/thinkpad-acpi.txt
++++ b/Documentation/laptops/thinkpad-acpi.txt
+@@ -663,6 +663,10 @@ LCD, CRT or DVI (if available). The following commands are available:
+ 	echo expand_toggle > /proc/acpi/ibm/video
+ 	echo video_switch > /proc/acpi/ibm/video
+ 
++NOTE: Access to this feature is restricted to processes owning the
++CAP_SYS_ADMIN capability for safety reasons, as it can interact badly
++enough with some versions of X.org to crash it.
++
+ Each video output device can be enabled or disabled individually.
+ Reading /proc/acpi/ibm/video shows the status of each device.
+ 
+diff --git a/drivers/misc/Kconfig b/drivers/misc/Kconfig
+index 8d62fb0..bcd3fa2 100644
+--- a/drivers/misc/Kconfig
++++ b/drivers/misc/Kconfig
+@@ -310,9 +310,15 @@ config THINKPAD_ACPI_VIDEO
+ 	  server running, phase of the moon, and the current mood of
+ 	  Schroedinger's cat.  If you can use X.org's RandR to control
+ 	  your ThinkPad's video output ports instead of this feature,
+-	  don't think twice: do it and say N here to save some memory.
++	  don't think twice: do it and say N here to save memory and avoid
++	  bad interactions with X.org.
+ 
+-	  If you are not sure, say Y here.
++	  NOTE: access to this feature is limited to processes with the
++	  CAP_SYS_ADMIN capability, to avoid local DoS issues in platforms
++	  where it interacts badly with X.org.
++
++	  If you are not sure, say Y here but do try to check if you could
++	  be using X.org RandR instead.
+ 
+ config THINKPAD_ACPI_HOTKEY_POLL
+ 	bool "Suport NVRAM polling for hot keys"
+diff --git a/drivers/misc/thinkpad_acpi.c b/drivers/misc/thinkpad_acpi.c
+index b596929..e6b0c04 100644
+--- a/drivers/misc/thinkpad_acpi.c
++++ b/drivers/misc/thinkpad_acpi.c
+@@ -214,6 +214,7 @@ struct ibm_init_struct {
+ 	char param[32];
+ 
+ 	int (*init) (struct ibm_init_struct *);
++	mode_t base_procfs_mode;
+ 	struct ibm_struct *data;
+ };
+ 
+@@ -3169,6 +3170,10 @@ static int video_read(char *p)
+ 		return len;
+ 	}
+ 
++	/* Even reads can crash X.org, so... */
++	if (!capable(CAP_SYS_ADMIN))
++		return -EPERM;
++
+ 	status = video_outputsw_get();
+ 	if (status < 0)
+ 		return status;
+@@ -3202,6 +3207,10 @@ static int video_write(char *buf)
+ 	if (video_supported == TPACPI_VIDEO_NONE)
+ 		return -ENODEV;
+ 
++	/* Even reads can crash X.org, let alone writes... */
++	if (!capable(CAP_SYS_ADMIN))
++		return -EPERM;
++
+ 	enable = 0;
+ 	disable = 0;
+ 

Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Mon Oct 25 02:21:18 2010	(r16485)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Mon Oct 25 02:21:28 2010	(r16486)
@@ -6,3 +6,4 @@
 + bugfix/all/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
 + bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
 + bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
++ bugfix/x86/thinkpad-acpi-lock-down-video-output-state-access.patch

More information about the Kernel-svn-changes mailing list