[MPlayer-dev-eng] [PATCH] svgalib_helper root vuln

D Richard Felker III dalias at aerifal.cx
Mon Oct 4 04:50:49 CEST 2004


On Sun, Oct 03, 2004 at 09:34:56PM -0400, The Wanderer wrote:
> D Richard Felker III wrote:
> 
> >On Sun, Oct 03, 2004 at 03:42:09AM -0400, The Wanderer wrote:
> >
> >>>use svgalib_helper instead. it works perfectly.
> >>
> >>I think I've heard that mentioned, but I don't know where to find
> >>it. (Admittedly I also haven't yet Googled - I'd do that before
> >>posting, but I'm in a hurry to get to my food before it gets cold.)
> >
> >it comes with recent svgalib. but be warned, it contains a very
> >stupid vulnerability that lets any user with access to the helper
> >access all of kernel memory read/write.. someday i'm gonna submit a
> >patch.
> 
> I'll pass that on to my siblings, then, and see about giving it a try
> myself. If/when you do get around to submitting a patch, I'd be glad if
> you could somehow let me know (since I don't follow svgalib development,
> at least not yet), because I don't like using things with known security
> flaws.

ok i'm attaching the fix. it's not a great patch but it should work.
note that it also prevents mapping some low memory that was
unconditionally allowed before. some stupid drivers may need this low
area, but it's inherently a security hole. i doubt any vidix drivers
need it, just bad svgalib drivers...

rich

-------------- next part --------------
diff -ur svgalib_helper.orig/main.c svgalib_helper/main.c
--- svgalib_helper.orig/main.c	2003-02-02 14:20:16.000000000 +0000
+++ svgalib_helper/main.c	2004-10-04 02:52:00.000000000 +0000
@@ -363,6 +363,7 @@
 #ifdef __alpha__
     int type;
 #endif
+    if (start+len < start || len >= 0x40000000) return -1;
         
     rstart=start;
     rlen=len;
@@ -383,7 +384,7 @@
 #endif
 
     if(!card) {
-        if( (start<0x110000) && (start+len<0x110000) ) return 0;
+        //if( (start<0x110000) && (start+len<0x110000) ) return 0;
         for(j=1;j<num_devices;j++)
             if(!check_mem(j, rstart, rlen)) return 0;
     } else if(card<num_devices) {


More information about the MPlayer-dev-eng mailing list