Hardy SRU: thinkpad-acpi: lock down video output state access, CVE-2010-3448

Tim Gardner timg at tpi.com
Mon Jan 24 19:47:32 UTC 2011 

The following changes since commit e98c9ee35cead70474b238604a6e9edaf91f7270:
  Jason Gaston (1):
        ata_piix: IDE mode SATA patch for Intel ICH10 DeviceID's

are available in the git repository at:

  git://kernel.ubuntu.com/rtg/ubuntu-hardy.git CVE-2010-3448

Tim Gardner (1):
      thinkpad-acpi: lock down video output state access, CVE-2010-3448

 Documentation/thinkpad-acpi.txt |    4 ++++
 drivers/misc/thinkpad_acpi.c    |   18 +++++++++++++++---
 drivers/misc/thinkpad_acpi.h    |    1 +
 3 files changed, 20 insertions(+), 3 deletions(-)

>From 66921b3a1779614924ab89c98f473523dfbe18fa Mon Sep 17 00:00:00 2001
From: Tim Gardner <tim.gardner at canonical.com>
Date: Mon, 24 Jan 2011 10:43:57 -0700
Subject: [PATCH] thinkpad-acpi: lock down video output state access, CVE-2010-3448

BugLink: http://bugs.launchpad.net/bugs/706999

Backported from 2.6.32.y 1b0d63f15fb79d0cb840f8b701f343548b5640e8.
I dropped part of the patch that applied to drivers/platform/x86/Kconfig
since its not relevant for 2.6.24.

Given the right combination of ThinkPad and X.org, just reading the
video output control state is enough to hard-crash X.org.

Until the day I somehow find out a model or BIOS cut date to not
provide this feature to ThinkPads that can do video switching through
X RandR, change permissions so that only processes with CAP_SYS_ADMIN
can access any sort of video output control state.

This bug could be considered a local DoS I suppose, as it allows any
non-privledged local user to cause some versions of X.org to
hard-crash some ThinkPads.

Reported-by: Jidanni <jidanni at jidanni.org>
Signed-off-by: Henrique de Moraes Holschuh <hmh at hmh.eng.br>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
---
 Documentation/thinkpad-acpi.txt |    4 ++++
 drivers/misc/thinkpad_acpi.c    |   18 +++++++++++++++---
 drivers/misc/thinkpad_acpi.h    |    1 +
 3 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/Documentation/thinkpad-acpi.txt b/Documentation/thinkpad-acpi.txt
index 10c041c..46ae816 100644
--- a/Documentation/thinkpad-acpi.txt
+++ b/Documentation/thinkpad-acpi.txt
@@ -518,6 +518,10 @@ LCD, CRT or DVI (if available). The following commands are available:
 	echo expand_toggle > /proc/acpi/ibm/video
 	echo video_switch > /proc/acpi/ibm/video
 
+NOTE: Access to this feature is restricted to processes owning the
+CAP_SYS_ADMIN capability for safety reasons, as it can interact badly
+enough with some versions of X.org to crash it.
+
 Each video output device can be enabled or disabled individually.
 Reading /proc/acpi/ibm/video shows the status of each device.
 
diff --git a/drivers/misc/thinkpad_acpi.c b/drivers/misc/thinkpad_acpi.c
index cf56647..ac866b9 100644
--- a/drivers/misc/thinkpad_acpi.c
+++ b/drivers/misc/thinkpad_acpi.c
@@ -1986,6 +1986,10 @@ static int video_read(char *p)
 		return len;
 	}
 
+	/* Even reads can crash X.org, so... */
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
+
 	status = video_outputsw_get();
 	if (status < 0)
 		return status;
@@ -2019,6 +2023,10 @@ static int video_write(char *buf)
 	if (video_supported == TPACPI_VIDEO_NONE)
 		return -ENODEV;
 
+	/* Even reads can crash X.org, so... */
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
+
 	enable = 0;
 	disable = 0;
 
@@ -4574,9 +4582,12 @@ static int __init ibm_init(struct ibm_init_struct *iibm)
 		"%s installed\n", ibm->name);
 
 	if (ibm->read) {
-		entry = create_proc_entry(ibm->name,
-					  S_IFREG | S_IRUGO | S_IWUSR,
-					  proc_dir);
+		mode_t mode = iibm->base_procfs_mode;
+
+		if (!mode)
+			mode = S_IRUGO;
+
+		entry = create_proc_entry(ibm->name, mode, proc_dir);
 		if (!entry) {
 			printk(IBM_ERR "unable to create proc entry %s\n",
 			       ibm->name);
@@ -4758,6 +4769,7 @@ static struct ibm_init_struct ibms_init[] __initdata = {
 	},
 	{
 		.init = video_init,
+		.base_procfs_mode = S_IRUSR,
 		.data = &video_driver_data,
 	},
 	{
diff --git a/drivers/misc/thinkpad_acpi.h b/drivers/misc/thinkpad_acpi.h
index 8fba2bb..9649256 100644
--- a/drivers/misc/thinkpad_acpi.h
+++ b/drivers/misc/thinkpad_acpi.h
@@ -230,6 +230,7 @@ struct ibm_init_struct {
 	char param[32];
 
 	int (*init) (struct ibm_init_struct *);
+	mode_t base_procfs_mode;
 	struct ibm_struct *data;
 };
 
-- 
1.7.0.4

More information about the kernel-team mailing list