diff options
| author | Henrique de Moraes Holschuh <hmh@hmh.eng.br> | 2010-02-25 20:22:22 -0500 |
|---|---|---|
| committer | Henrique de Moraes Holschuh <hmh@hmh.eng.br> | 2010-02-25 20:22:22 -0500 |
| commit | b525c06cdbd8a3963f0173ccd23f9147d4c384b5 (patch) | |
| tree | 025b22fda39fc7a42061ab25a908abe3ae757d3b /drivers/platform/x86/thinkpad_acpi.c | |
| parent | 08fedfc903c78e380b0baa7b57c52d367794d0a5 (diff) | |
thinkpad-acpi: lock down video output state access
Given the right combination of ThinkPad and X.org, just reading the
video output control state is enough to hard-crash X.org.
Until the day I somehow find out a model or BIOS cut date to not
provide this feature to ThinkPads that can do video switching through
X RandR, change permissions so that only processes with CAP_SYS_ADMIN
can access any sort of video output control state.
This bug could be considered a local DoS I suppose, as it allows any
non-privledged local user to cause some versions of X.org to
hard-crash some ThinkPads.
Reported-by: Jidanni <jidanni@jidanni.org>
Signed-off-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
Cc: stable@kernel.org
Diffstat (limited to 'drivers/platform/x86/thinkpad_acpi.c')
| -rw-r--r-- | drivers/platform/x86/thinkpad_acpi.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c index 3af4628d7dd1..5d02cc06d1a7 100644 --- a/drivers/platform/x86/thinkpad_acpi.c +++ b/drivers/platform/x86/thinkpad_acpi.c | |||
| @@ -286,6 +286,7 @@ struct ibm_init_struct { | |||
| 286 | char param[32]; | 286 | char param[32]; |
| 287 | 287 | ||
| 288 | int (*init) (struct ibm_init_struct *); | 288 | int (*init) (struct ibm_init_struct *); |
| 289 | mode_t base_procfs_mode; | ||
| 289 | struct ibm_struct *data; | 290 | struct ibm_struct *data; |
| 290 | }; | 291 | }; |
| 291 | 292 | ||
| @@ -4629,6 +4630,10 @@ static int video_read(struct seq_file *m) | |||
| 4629 | return 0; | 4630 | return 0; |
| 4630 | } | 4631 | } |
| 4631 | 4632 | ||
| 4633 | /* Even reads can crash X.org, so... */ | ||
| 4634 | if (!capable(CAP_SYS_ADMIN)) | ||
| 4635 | return -EPERM; | ||
| 4636 | |||
| 4632 | status = video_outputsw_get(); | 4637 | status = video_outputsw_get(); |
| 4633 | if (status < 0) | 4638 | if (status < 0) |
| 4634 | return status; | 4639 | return status; |
| @@ -4662,6 +4667,10 @@ static int video_write(char *buf) | |||
| 4662 | if (video_supported == TPACPI_VIDEO_NONE) | 4667 | if (video_supported == TPACPI_VIDEO_NONE) |
| 4663 | return -ENODEV; | 4668 | return -ENODEV; |
| 4664 | 4669 | ||
| 4670 | /* Even reads can crash X.org, let alone writes... */ | ||
| 4671 | if (!capable(CAP_SYS_ADMIN)) | ||
| 4672 | return -EPERM; | ||
| 4673 | |||
| 4665 | enable = 0; | 4674 | enable = 0; |
| 4666 | disable = 0; | 4675 | disable = 0; |
| 4667 | 4676 | ||
| @@ -8487,9 +8496,10 @@ static int __init ibm_init(struct ibm_init_struct *iibm) | |||
| 8487 | "%s installed\n", ibm->name); | 8496 | "%s installed\n", ibm->name); |
| 8488 | 8497 | ||
| 8489 | if (ibm->read) { | 8498 | if (ibm->read) { |
| 8490 | mode_t mode; | 8499 | mode_t mode = iibm->base_procfs_mode; |
| 8491 | 8500 | ||
| 8492 | mode = S_IRUGO; | 8501 | if (!mode) |
| 8502 | mode = S_IRUGO; | ||
| 8493 | if (ibm->write) | 8503 | if (ibm->write) |
| 8494 | mode |= S_IWUSR; | 8504 | mode |= S_IWUSR; |
| 8495 | entry = proc_create_data(ibm->name, mode, proc_dir, | 8505 | entry = proc_create_data(ibm->name, mode, proc_dir, |
| @@ -8680,6 +8690,7 @@ static struct ibm_init_struct ibms_init[] __initdata = { | |||
| 8680 | #ifdef CONFIG_THINKPAD_ACPI_VIDEO | 8690 | #ifdef CONFIG_THINKPAD_ACPI_VIDEO |
| 8681 | { | 8691 | { |
| 8682 | .init = video_init, | 8692 | .init = video_init, |
| 8693 | .base_procfs_mode = S_IRUSR, | ||
| 8683 | .data = &video_driver_data, | 8694 | .data = &video_driver_data, |
| 8684 | }, | 8695 | }, |
| 8685 | #endif | 8696 | #endif |