aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHenrique de Moraes Holschuh <hmh@hmh.eng.br>2010-02-25 20:22:22 -0500
committerHenrique de Moraes Holschuh <hmh@hmh.eng.br>2010-02-25 20:22:22 -0500
commitb525c06cdbd8a3963f0173ccd23f9147d4c384b5 (patch)
tree025b22fda39fc7a42061ab25a908abe3ae757d3b
parent08fedfc903c78e380b0baa7b57c52d367794d0a5 (diff)
thinkpad-acpi: lock down video output state access
Given the right combination of ThinkPad and X.org, just reading the video output control state is enough to hard-crash X.org. Until the day I somehow find out a model or BIOS cut date to not provide this feature to ThinkPads that can do video switching through X RandR, change permissions so that only processes with CAP_SYS_ADMIN can access any sort of video output control state. This bug could be considered a local DoS I suppose, as it allows any non-privledged local user to cause some versions of X.org to hard-crash some ThinkPads. Reported-by: Jidanni <jidanni@jidanni.org> Signed-off-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br> Cc: stable@kernel.org
Diffstat
-rw-r--r--Documentation/laptops/thinkpad-acpi.txt4
-rw-r--r--drivers/platform/x86/Kconfig10
-rw-r--r--drivers/platform/x86/thinkpad_acpi.c15
3 files changed, 25 insertions, 4 deletions
diff --git a/Documentation/laptops/thinkpad-acpi.txt b/Documentation/laptops/thinkpad-acpi.txt
index 75afa1229fd7..39c0a09d0105 100644
--- a/Documentation/laptops/thinkpad-acpi.txt
+++ b/Documentation/laptops/thinkpad-acpi.txt
@@ -650,6 +650,10 @@ LCD, CRT or DVI (if available). The following commands are available:
650 echo expand_toggle > /proc/acpi/ibm/video 650 echo expand_toggle > /proc/acpi/ibm/video
651 echo video_switch > /proc/acpi/ibm/video 651 echo video_switch > /proc/acpi/ibm/video
652 652
653NOTE: Access to this feature is restricted to processes owning the
654CAP_SYS_ADMIN capability for safety reasons, as it can interact badly
655enough with some versions of X.org to crash it.
656
653Each video output device can be enabled or disabled individually. 657Each video output device can be enabled or disabled individually.
654Reading /proc/acpi/ibm/video shows the status of each device. 658Reading /proc/acpi/ibm/video shows the status of each device.
655 659
diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig
index f526e735c5ab..11fce79b61d1 100644
--- a/drivers/platform/x86/Kconfig
+++ b/drivers/platform/x86/Kconfig
@@ -319,9 +319,15 @@ config THINKPAD_ACPI_VIDEO
319 server running, phase of the moon, and the current mood of 319 server running, phase of the moon, and the current mood of
320 Schroedinger's cat. If you can use X.org's RandR to control 320 Schroedinger's cat. If you can use X.org's RandR to control
321 your ThinkPad's video output ports instead of this feature, 321 your ThinkPad's video output ports instead of this feature,
322 don't think twice: do it and say N here to save some memory. 322 don't think twice: do it and say N here to save memory and avoid
323 bad interactions with X.org.
323 324
324 If you are not sure, say Y here. 325 NOTE: access to this feature is limited to processes with the
326 CAP_SYS_ADMIN capability, to avoid local DoS issues in platforms
327 where it interacts badly with X.org.
328
329 If you are not sure, say Y here but do try to check if you could
330 be using X.org RandR instead.
325 331
326config THINKPAD_ACPI_HOTKEY_POLL 332config THINKPAD_ACPI_HOTKEY_POLL
327 bool "Support NVRAM polling for hot keys" 333 bool "Support NVRAM polling for hot keys"
diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
index 3af4628d7dd1..5d02cc06d1a7 100644
--- a/drivers/platform/x86/thinkpad_acpi.c
+++ b/drivers/platform/x86/thinkpad_acpi.c
@@ -286,6 +286,7 @@ struct ibm_init_struct {
286 char param[32]; 286 char param[32];
287 287
288 int (*init) (struct ibm_init_struct *); 288 int (*init) (struct ibm_init_struct *);
289 mode_t base_procfs_mode;
289 struct ibm_struct *data; 290 struct ibm_struct *data;
290}; 291};
291 292
@@ -4629,6 +4630,10 @@ static int video_read(struct seq_file *m)
4629 return 0; 4630 return 0;
4630 } 4631 }
4631 4632
4633 /* Even reads can crash X.org, so... */
4634 if (!capable(CAP_SYS_ADMIN))
4635 return -EPERM;
4636
4632 status = video_outputsw_get(); 4637 status = video_outputsw_get();
4633 if (status < 0) 4638 if (status < 0)
4634 return status; 4639 return status;
@@ -4662,6 +4667,10 @@ static int video_write(char *buf)
4662 if (video_supported == TPACPI_VIDEO_NONE) 4667 if (video_supported == TPACPI_VIDEO_NONE)
4663 return -ENODEV; 4668 return -ENODEV;
4664 4669
4670 /* Even reads can crash X.org, let alone writes... */
4671 if (!capable(CAP_SYS_ADMIN))
4672 return -EPERM;
4673
4665 enable = 0; 4674 enable = 0;
4666 disable = 0; 4675 disable = 0;
4667 4676
@@ -8487,9 +8496,10 @@ static int __init ibm_init(struct ibm_init_struct *iibm)
8487 "%s installed\n", ibm->name); 8496 "%s installed\n", ibm->name);
8488 8497
8489 if (ibm->read) { 8498 if (ibm->read) {
8490 mode_t mode; 8499 mode_t mode = iibm->base_procfs_mode;
8491 8500
8492 mode = S_IRUGO; 8501 if (!mode)
8502 mode = S_IRUGO;
8493 if (ibm->write) 8503 if (ibm->write)
8494 mode |= S_IWUSR; 8504 mode |= S_IWUSR;
8495 entry = proc_create_data(ibm->name, mode, proc_dir, 8505 entry = proc_create_data(ibm->name, mode, proc_dir,
@@ -8680,6 +8690,7 @@ static struct ibm_init_struct ibms_init[] __initdata = {
8680#ifdef CONFIG_THINKPAD_ACPI_VIDEO 8690#ifdef CONFIG_THINKPAD_ACPI_VIDEO
8681 { 8691 {
8682 .init = video_init, 8692 .init = video_init,
8693 .base_procfs_mode = S_IRUSR,
8683 .data = &video_driver_data, 8694 .data = &video_driver_data,
8684 }, 8695 },
8685#endif 8696#endif
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-12 02:37:23 -0500