From patchwork Sun Aug 25 21:12:39 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Herrmann X-Patchwork-Id: 2849339 Return-Path: X-Original-To: patchwork-dri-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 0CD5EBF546 for ; Sun, 25 Aug 2013 21:13:15 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id F10A920214 for ; Sun, 25 Aug 2013 21:13:14 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by mail.kernel.org (Postfix) with ESMTP id 204BB20122 for ; Sun, 25 Aug 2013 21:13:14 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id AFB5AE61AB for ; Sun, 25 Aug 2013 14:13:13 -0700 (PDT) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mail-ee0-f44.google.com (mail-ee0-f44.google.com [74.125.83.44]) by gabe.freedesktop.org (Postfix) with ESMTP id B9FBCE5DE8 for ; Sun, 25 Aug 2013 14:13:00 -0700 (PDT) Received: by mail-ee0-f44.google.com with SMTP id b47so1257282eek.3 for ; Sun, 25 Aug 2013 14:13:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=5t7rfgGOF9+R0/1GJiErnSStjy7j6ZIF7Sb3QynhdIg=; b=qb7VyirxJXSU1/E0Bm6oPGpzIm1wZzpXY6AZCeNc2O4ZuasWnPc90YtZtCnXnOygtC EXkiIbWJQwxSIAvLnIiR+PCcuWaDIxAuGyi2i9E1fUWQN2yr394HiQzB4MYYfIQ0edBk +43fjtocfYF7FlLrU/KO9ZmA8aAlunZUH+aE2p3TKT7uEO5v5cPHY35Auyu9O9XJZnDX i9ZYQX+aLfmrOnaeVZoEg0Cz8QSCVs+ufycM3huQmvZv1ArdopZMD5tsf6wp8Ljf6vXd NYZGD+cRDws4cCrjCqab6SIA56uYN6wbGef/Ii18GhLs9May2fcYRZJN8XqCU7Tk6xjU t3RA== X-Received: by 10.14.210.8 with SMTP id t8mr19857739eeo.39.1377465179988; Sun, 25 Aug 2013 14:12:59 -0700 (PDT) Received: from localhost.localdomain (stgt-5f71847d.pool.mediaWays.net. [95.113.132.125]) by mx.google.com with ESMTPSA id a43sm16405816eep.9.1969.12.31.16.00.00 (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 25 Aug 2013 14:12:59 -0700 (PDT) From: David Herrmann To: dri-devel@lists.freedesktop.org Subject: [PATCH] drm: fix DRM_IOCTL_MODE_GETFB handle-leak Date: Sun, 25 Aug 2013 23:12:39 +0200 Message-Id: <1377465159-8117-1-git-send-email-dh.herrmann@gmail.com> X-Mailer: git-send-email 1.8.4 Cc: Dave Airlie , stable@vger.kernel.org X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org Errors-To: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org X-Spam-Status: No, score=-6.3 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP DRM_IOCTL_MODE_GETFB is used to retrieve information about a given framebuffer ID. It is a read-only helper and was thus declassified for unprivileged access in: commit a14b1b42477c5ef089fcda88cbaae50d979eb8f9 Author: Mandeep Singh Baines Date: Fri Jan 20 12:11:16 2012 -0800 drm: remove master fd restriction on mode setting getters However, beside width, height and stride information, DRM_IOCTL_MODE_GETFB also passes back a handle to the underlying gem-bo of the framebuffer. This handle allows users to mmap() it and read or write into it. Obviously, this should be restricted to DRM-Master. With the current setup, *any* process with access to /dev/dri/card0 (which means any process with access to hardware-accelerated rendering) can access the current screen framebuffer and modify it ad libitum. For backwards-compatibility reasons we want to keep the DRM_IOCTL_MODE_GETFB call unprivileged. Besides, it provides quite useful information regarding screen setup. So we simply test whether the caller is the current DRM-Master and if not, we return 0 as handle, which is always invalid. A following DRM_IOCTL_GEM_CLOSE on this handle will fail with EINVAL, but we accept this. Users shouldn't test for errors during GEM_CLOSE, anyway. And it is still better than a failing MODE_GETFB call. Cc: Signed-off-by: David Herrmann --- drivers/gpu/drm/drm_crtc.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c index 54b4169..096e170 100644 --- a/drivers/gpu/drm/drm_crtc.c +++ b/drivers/gpu/drm/drm_crtc.c @@ -2598,10 +2598,22 @@ int drm_mode_getfb(struct drm_device *dev, r->depth = fb->depth; r->bpp = fb->bits_per_pixel; r->pitch = fb->pitches[0]; - if (fb->funcs->create_handle) - ret = fb->funcs->create_handle(fb, file_priv, &r->handle); - else + if (fb->funcs->create_handle) { + if (file_priv->is_master) { + ret = fb->funcs->create_handle(fb, file_priv, + &r->handle); + } else { + /* GET_FB() is an unprivileged ioctl so we must not + * return a buffer-handle to non-master processes! For + * backwards-compatibility reasons, we cannot make + * GET_FB() privileged, so just return an invalid handle + * for non-masters. */ + r->handle = 0; + ret = 0; + } + } else { ret = -ENODEV; + } drm_framebuffer_unreference(fb);