diff options
author | Henrique de Moraes Holschuh <hmh@hmh.eng.br> | 2010-02-25 22:22:22 -0300 |
---|---|---|
committer | Henrique de Moraes Holschuh <hmh@hmh.eng.br> | 2010-02-25 22:22:22 -0300 |
commit | b525c06cdbd8a3963f0173ccd23f9147d4c384b5 (patch) | |
tree | 025b22fda39fc7a42061ab25a908abe3ae757d3b /drivers/platform/x86/thinkpad_acpi.c | |
parent | 08fedfc903c78e380b0baa7b57c52d367794d0a5 (diff) | |
download | kernel_samsung_espresso10-b525c06cdbd8a3963f0173ccd23f9147d4c384b5.zip kernel_samsung_espresso10-b525c06cdbd8a3963f0173ccd23f9147d4c384b5.tar.gz kernel_samsung_espresso10-b525c06cdbd8a3963f0173ccd23f9147d4c384b5.tar.bz2 |
thinkpad-acpi: lock down video output state access
Given the right combination of ThinkPad and X.org, just reading the
video output control state is enough to hard-crash X.org.
Until the day I somehow find out a model or BIOS cut date to not
provide this feature to ThinkPads that can do video switching through
X RandR, change permissions so that only processes with CAP_SYS_ADMIN
can access any sort of video output control state.
This bug could be considered a local DoS I suppose, as it allows any
non-privledged local user to cause some versions of X.org to
hard-crash some ThinkPads.
Reported-by: Jidanni <jidanni@jidanni.org>
Signed-off-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
Cc: stable@kernel.org
Diffstat (limited to 'drivers/platform/x86/thinkpad_acpi.c')
-rw-r--r-- | drivers/platform/x86/thinkpad_acpi.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c index 3af4628..5d02cc0 100644 --- a/drivers/platform/x86/thinkpad_acpi.c +++ b/drivers/platform/x86/thinkpad_acpi.c @@ -286,6 +286,7 @@ struct ibm_init_struct { char param[32]; int (*init) (struct ibm_init_struct *); + mode_t base_procfs_mode; struct ibm_struct *data; }; @@ -4629,6 +4630,10 @@ static int video_read(struct seq_file *m) return 0; } + /* Even reads can crash X.org, so... */ + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + status = video_outputsw_get(); if (status < 0) return status; @@ -4662,6 +4667,10 @@ static int video_write(char *buf) if (video_supported == TPACPI_VIDEO_NONE) return -ENODEV; + /* Even reads can crash X.org, let alone writes... */ + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + enable = 0; disable = 0; @@ -8487,9 +8496,10 @@ static int __init ibm_init(struct ibm_init_struct *iibm) "%s installed\n", ibm->name); if (ibm->read) { - mode_t mode; + mode_t mode = iibm->base_procfs_mode; - mode = S_IRUGO; + if (!mode) + mode = S_IRUGO; if (ibm->write) mode |= S_IWUSR; entry = proc_create_data(ibm->name, mode, proc_dir, @@ -8680,6 +8690,7 @@ static struct ibm_init_struct ibms_init[] __initdata = { #ifdef CONFIG_THINKPAD_ACPI_VIDEO { .init = video_init, + .base_procfs_mode = S_IRUSR, .data = &video_driver_data, }, #endif |