From 66921b3a1779614924ab89c98f473523dfbe18fa Mon Sep 17 00:00:00 2001 From: Tim Gardner Date: Mon, 24 Jan 2011 10:43:57 -0700 Subject: [PATCH] thinkpad-acpi: lock down video output state access, CVE-2010-3448 BugLink: http://bugs.launchpad.net/bugs/706999 Backported from 2.6.32.y 1b0d63f15fb79d0cb840f8b701f343548b5640e8. I dropped part of the patch that applied to drivers/platform/x86/Kconfig since its not relevant for 2.6.24. Given the right combination of ThinkPad and X.org, just reading the video output control state is enough to hard-crash X.org. Until the day I somehow find out a model or BIOS cut date to not provide this feature to ThinkPads that can do video switching through X RandR, change permissions so that only processes with CAP_SYS_ADMIN can access any sort of video output control state. This bug could be considered a local DoS I suppose, as it allows any non-privledged local user to cause some versions of X.org to hard-crash some ThinkPads. Reported-by: Jidanni Signed-off-by: Henrique de Moraes Holschuh Signed-off-by: Greg Kroah-Hartman Signed-off-by: Tim Gardner --- Documentation/thinkpad-acpi.txt | 4 ++++ drivers/misc/thinkpad_acpi.c | 18 +++++++++++++++--- drivers/misc/thinkpad_acpi.h | 1 + 3 files changed, 20 insertions(+), 3 deletions(-) diff --git a/Documentation/thinkpad-acpi.txt b/Documentation/thinkpad-acpi.txt index 10c041c..46ae816 100644 --- a/Documentation/thinkpad-acpi.txt +++ b/Documentation/thinkpad-acpi.txt @@ -518,6 +518,10 @@ LCD, CRT or DVI (if available). The following commands are available: echo expand_toggle > /proc/acpi/ibm/video echo video_switch > /proc/acpi/ibm/video +NOTE: Access to this feature is restricted to processes owning the +CAP_SYS_ADMIN capability for safety reasons, as it can interact badly +enough with some versions of X.org to crash it. + Each video output device can be enabled or disabled individually. Reading /proc/acpi/ibm/video shows the status of each device. diff --git a/drivers/misc/thinkpad_acpi.c b/drivers/misc/thinkpad_acpi.c index cf56647..ac866b9 100644 --- a/drivers/misc/thinkpad_acpi.c +++ b/drivers/misc/thinkpad_acpi.c @@ -1986,6 +1986,10 @@ static int video_read(char *p) return len; } + /* Even reads can crash X.org, so... */ + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + status = video_outputsw_get(); if (status < 0) return status; @@ -2019,6 +2023,10 @@ static int video_write(char *buf) if (video_supported == TPACPI_VIDEO_NONE) return -ENODEV; + /* Even reads can crash X.org, so... */ + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + enable = 0; disable = 0; @@ -4574,9 +4582,12 @@ static int __init ibm_init(struct ibm_init_struct *iibm) "%s installed\n", ibm->name); if (ibm->read) { - entry = create_proc_entry(ibm->name, - S_IFREG | S_IRUGO | S_IWUSR, - proc_dir); + mode_t mode = iibm->base_procfs_mode; + + if (!mode) + mode = S_IRUGO; + + entry = create_proc_entry(ibm->name, mode, proc_dir); if (!entry) { printk(IBM_ERR "unable to create proc entry %s\n", ibm->name); @@ -4758,6 +4769,7 @@ static struct ibm_init_struct ibms_init[] __initdata = { }, { .init = video_init, + .base_procfs_mode = S_IRUSR, .data = &video_driver_data, }, { diff --git a/drivers/misc/thinkpad_acpi.h b/drivers/misc/thinkpad_acpi.h index 8fba2bb..9649256 100644 --- a/drivers/misc/thinkpad_acpi.h +++ b/drivers/misc/thinkpad_acpi.h @@ -230,6 +230,7 @@ struct ibm_init_struct { char param[32]; int (*init) (struct ibm_init_struct *); + mode_t base_procfs_mode; struct ibm_struct *data; }; -- 1.7.0.4