[Bug 60533] CVE-2013-7445: Remote web page triggerable DOS in Linux DRM graphics.

4 Sep 2016


      https://bugzilla.kernel.org/show_bug.cgi?id=60533
--- Comment #40 from Mikhail mikhail.v.gavrilov@gmail.com ---
kernel 4.8.0-0.rc4 and interface still freeze when free memory is absent:
stracing of gnome-shell:
# strace -t -p 1489
strace: Process 1489 attached
19:36:11 ioctl(8, DRM_IOCTL_I915_GEM_CREATE, 0x7ffc860b7690) = 0
19:36:11 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860b7770) = 0
19:36:11 ioctl(8, DRM_IOCTL_I915_GEM_MMAP, 0x7ffc860b76c0) = 0
19:36:11 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860b76c0) = 0
19:36:12 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860b7840) = 0
19:36:12 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860bd1d0) = 0
19:36:12 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860bd120) = 0
19:36:12 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860bd2b0) = 0
19:36:12 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860ba8d0) = 0
19:36:12 munmap(0x7f2403fa5000, 4096)   = 0
19:36:12 ioctl(8, DRM_IOCTL_GEM_CLOSE, 0x7ffc860ba8c0) = 0
19:36:12 ioctl(8, DRM_IOCTL_I915_GEM_CREATE, 0x7ffc860ba820) = 0
19:36:12 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860ba900) = 0
19:36:12 ioctl(8, DRM_IOCTL_I915_GEM_MMAP, 0x7ffc860ba850) = 0
19:36:12 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba850) = 0
19:36:12 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860ba9d0) = 0
19:36:12 ioctl(8, DRM_IOCTL_MODE_CURSOR, 0x7ffc860bd400) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860ba9f0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860ba9f0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860ba9f0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860ba9f0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860ba9f0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860ba9f0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860ba9f0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_CREATE, 0x7ffc860ba970) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MMAP, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_CREATE, 0x7ffc860ba970) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MMAP, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_CREATE, 0x7ffc860ba970) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MMAP, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_CREATE, 0x7ffc860ba970) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MMAP, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_CREATE, 0x7ffc860ba970) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MMAP, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_CREATE, 0x7ffc860ba970) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MMAP, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_CREATE, 0x7ffc860ba970) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MMAP, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_CREATE, 0x7ffc860ba970) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MMAP, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860ba740) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_EXECBUFFER2, 0x7ffc860ba6d0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860ba6d0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860ba6d0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860ba6d0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860ba6d0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860ba6d0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860ba6d0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860ba6d0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860ba6d0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_CREATE, 0x7ffc860ba6f0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MMAP, 0x7ffc860ba6a0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba6a0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860ba9f0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860ba9f0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860ba9f0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860ba9f0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860ba9f0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860ba9f0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860ba9f0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860ba910) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860ba900) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860ba910) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860ba900) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860ba940) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860baad0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860bbd00) = 0
19:36:52 ioctl(8, DRM_IOCTL_GEM_CLOSE, 0x7ffc860bbcf0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_CREATE, 0x7ffc860bb950) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860bb6c0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_PWRITE, 0x7ffc860bb680) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860bbd00) = 0
19:36:52 ioctl(8, DRM_IOCTL_GEM_CLOSE, 0x7ffc860bbcf0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_CREATE, 0x7ffc860bb950) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_CREATE, 0x7ffc860bb640) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_PWRITE, 0x7ffc860bb680) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860b9a10) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860b9a00) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860b9a40) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860b9bd0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860b98c0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_EXECBUFFER2, 0x7ffc860b9850) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860b9850) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860b9850) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860b9850) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860b9850) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_CREATE, 0x7ffc860b9870) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MMAP, 0x7ffc860b9820) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860b9820) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860b9af0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860b9a60) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860b9a10) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860b9a00) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860b9a40) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860b9bd0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860bd110) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860bd080) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860bd030) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860bd020) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860bd060) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860bd1f0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SW_FINISH, 0x7ffc860bd280) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_EXECBUFFER2, 0x7ffc860bd210) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860bd280) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860bd210) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860bd200) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_BUSY, 0x7ffc860bd1d0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_MADVISE, 0x7ffc860bd1c0) = 0
19:36:52 ioctl(8, DRM_IOCTL_I915_GEM_SET_DOMAIN, 0x7ffc860bd1e0) = 0
19:36:52 ioctl(8, DRM_IOCTL_MODE_ADDFB, 0x7ffc860bd380) = 0
19:36:52 ioctl(8, DRM_IOCTL_MODE_PAGE_FLIP, 0x7ffc860bd2d0) = 0
19:36:52 recvmsg(29, {msg_name=NULL, msg_namelen=0,
msg_iov=[{iov_base="\34\0\247\307\37\0@\1\212\1\0\0~\211<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
iov_len=4096}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 288
19:36:52 recvmsg(29, {msg_namelen=0}, 0) = -1 EAGAIN (Resource temporarily
unavailable)
19:36:52 poll([{fd=4, events=POLLIN}, {fd=8, events=POLLIN}, {fd=10,
events=POLLIN}, {fd=20, events=POLLIN}, {fd=29, events=POLLIN}, {fd=32,
events=POLLIN}, {fd=34, events=POLLIN}, {fd=48, events=POLLIN}, {fd=50,
events=POLLIN}, {fd=51, events=0}, {fd=53, events=POLLIN}, {fd=59,
events=POLLIN}, {fd=60, events=POLLIN}, {fd=63, events=POLLIN}, {fd=72,
events=POLLIN}, {fd=73, events=POLLIN}, {fd=80, events=POLLIN}], 17, 0) = 2
([{fd=4, revents=POLLIN}, {fd=10, revents=POLLIN}])
19:36:52 read(4, "\7\0\0\0\0\0\0\0", 16) = 8
19:36:52 poll([{fd=29, events=POLLIN|POLLOUT}], 1, -1) = 1 ([{fd=29,
revents=POLLOUT}])
19:36:52 writev(29,
[{iov_base="\24\0\6\0\37\0@\1\212\1\0\0\6\0\0\0\0\0\0\0\377\377\377\377",
iov_len=24}], 1) = 24
19:36:52 recvmsg(29, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\1
\250\307\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0",
iov_len=4096}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 32
19:36:52 recvmsg(29, {msg_namelen=0}, 0) = -1 EAGAIN (Resource temporarily
unavailable)
19:36:52 poll([{fd=29, events=POLLIN|POLLOUT}], 1, -1) = 1 ([{fd=29,
revents=POLLOUT}])
19:36:52 writev(29, [{iov_base="+4\1\0", iov_len=4}, {iov_base=NULL,
iov_len=0}, {iov_base="", iov_len=0}], 3) = 4
19:36:52 poll([{fd=29, events=POLLIN}], 1, -1) = 1 ([{fd=29, revents=POLLIN}])
19:36:52 recvmsg(29, {msg_name=NULL, msg_namelen=0,
msg_iov=[{iov_base="\1\1\251\307\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0",
iov_len=4096}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 32
-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

[Bug 60533] CVE-2013-7445: Remote web page triggerable DOS in Linux DRM graphics.