News
Vigil@nce - Linux kernel: memory disclosure via drm_ioctl
August 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can use ioctl DRM_I810_xxx in order to read kernel data.
Severity: 1/4
Creation date: 23/08/2010
DESCRIPTION OF THE VULNERABILITY
The drm_ioctl() function of the file drivers/gpu/drm/drm_drv.c handles IOCTL commands for the DRM driver. Each command can take in parameter an input / output buffer.
When handling an IOCTL command that returns data, the drm_ioctl() function allocates a kernel space buffer to receive those data. The size of this buffer is defined by the first parameter of the function. The buffer is then integrally copied to the buffer passed in parameter. However, the drm_ioctl() function does not properly check the size of the returned data. Therefore more data than necessary could be copied to the caller.
An attacker can therefore use DRM_I810_xxx ioctl in order to read kernel data.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
GOLD SPONSOR
