Vigil@nce: Linux kernel, NULL dereference via r128
October 2009 by Vigil@nce
A local attacker can use an ioctl on an ATI Rage 128 video device,
in order to stop the kernel or to execute privileged code.
Severity: 2/4
Consequences: administrator access/rights, denial of service of
service
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 19/10/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
Files located in the drivers/gpu/drm/r128 directory implement the
DRM support for ATI Rage 128 video devices.
The r128_cce.c file implements the access to the CCE (Concurrent
Command Engine) contained in these video devices. However, if some
functions are called via an ioctl, without previously initializing
the CCE state, a NULL pointer is dereferenced.
A local attacker can therefore use an ioctl on an ATI Rage 128
video device, in order to stop the kernel.
An attacker can also use this vulnerability with
VIGILANCE-VUL-8953 (https://vigilance.fr/tree/1/8953)/VIGILANCE-VUL-8861
(https://vigilance.fr/tree/1/8861) in order to elevate his
privileges.
CHARACTERISTICS
Identifiers: CVE-2009-3620, VIGILANCE-VUL-9101