From patchwork Mon Aug 26 13:16:49 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Herrmann X-Patchwork-Id: 2849592 Return-Path: X-Original-To: patchwork-dri-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id AA8C69F271 for ; Mon, 26 Aug 2013 13:17:45 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 14BC72034D for ; Mon, 26 Aug 2013 13:17:44 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by mail.kernel.org (Postfix) with ESMTP id 89A892034A for ; Mon, 26 Aug 2013 13:17:42 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 5FCE9E66A6 for ; Mon, 26 Aug 2013 06:17:42 -0700 (PDT) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mail-ea0-f172.google.com (mail-ea0-f172.google.com [209.85.215.172]) by gabe.freedesktop.org (Postfix) with ESMTP id BAEE6E5CEA for ; Mon, 26 Aug 2013 06:17:13 -0700 (PDT) Received: by mail-ea0-f172.google.com with SMTP id r16so1625288ead.3 for ; Mon, 26 Aug 2013 06:17:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=SuZ5yFwhVW5ciHlFRMnIGuQmwYW3Uda0bOqU2GFNr8o=; b=dxhrdiooIkZeme1A62J5DxfONEHO7wsThQN1J186l6T8Gtb236IAyDw+qDQa+A0+Pv Zwd+BGmCSz4B0hrjbG++3h+o7jrxCt9ZA8vXSY/Dijjblf8YZJzJdZ8RFogGE0ccW7PY gYOS+626rwKFDFzCc1qHlvFsjJp7zkNAAPAcFwxcJGeywEbEyDttupzXhmNV6tsU2jYW wKfocQTYj2jPWxpJ+sjLDVr9Nwk5QUA0fI7UIzbCJ7eBiifdIM30/CtE0lH0spo6eP02 HfrVRxX3JgNLLw65S0c/eUUb3CQ/zDCK8bcUMaHGPJYCQWP0EC2lGnwAz3QHSvxpAokH OzWg== X-Received: by 10.15.55.133 with SMTP id v5mr55774eew.96.1377523032791; Mon, 26 Aug 2013 06:17:12 -0700 (PDT) Received: from localhost.localdomain (stgt-5f71b932.pool.mediaWays.net. [95.113.185.50]) by mx.google.com with ESMTPSA id bn13sm21350010eeb.11.1969.12.31.16.00.00 (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 26 Aug 2013 06:17:11 -0700 (PDT) From: David Herrmann To: dri-devel@lists.freedesktop.org Subject: [PATCH v2] drm: fix DRM_IOCTL_MODE_GETFB handle-leak Date: Mon, 26 Aug 2013 15:16:49 +0200 Message-Id: <1377523009-12223-1-git-send-email-dh.herrmann@gmail.com> X-Mailer: git-send-email 1.8.4 In-Reply-To: <1377465159-8117-1-git-send-email-dh.herrmann@gmail.com> References: <1377465159-8117-1-git-send-email-dh.herrmann@gmail.com> Cc: Daniel Vetter , Dave Airlie , stable@vger.kernel.org X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org Errors-To: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org X-Spam-Status: No, score=-6.5 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP DRM_IOCTL_MODE_GETFB is used to retrieve information about a given framebuffer ID. It is a read-only helper and was thus declassified for unprivileged access in: commit a14b1b42477c5ef089fcda88cbaae50d979eb8f9 Author: Mandeep Singh Baines Date: Fri Jan 20 12:11:16 2012 -0800 drm: remove master fd restriction on mode setting getters However, alongside width, height and stride information, DRM_IOCTL_MODE_GETFB also passes back a handle to the underlying buffer of the framebuffer. This handle allows users to mmap() it and read or write into it. Obviously, this should be restricted to DRM-Master. With the current setup, *any* process with access to /dev/dri/card0 (which means any process with access to hardware-accelerated rendering) can access the current screen framebuffer and modify it ad libitum. For backwards-compatibility reasons we want to keep the DRM_IOCTL_MODE_GETFB call unprivileged. Besides, it provides quite useful information regarding screen setup. So we simply test whether the caller is the current DRM-Master and if not, we return 0 as handle, which is always invalid. A following DRM_IOCTL_GEM_CLOSE on this handle will fail with EINVAL, but we accept this. Users shouldn't test for errors during GEM_CLOSE, anyway. And it is still better as a failing MODE_GETFB call. v2: add capable(CAP_SYS_ADMIN) check for compatibility with i-g-t Cc: Signed-off-by: David Herrmann Reviewed-by: Chris Wilson --- drivers/gpu/drm/drm_crtc.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c index 54b4169..a05e878 100644 --- a/drivers/gpu/drm/drm_crtc.c +++ b/drivers/gpu/drm/drm_crtc.c @@ -2598,10 +2598,22 @@ int drm_mode_getfb(struct drm_device *dev, r->depth = fb->depth; r->bpp = fb->bits_per_pixel; r->pitch = fb->pitches[0]; - if (fb->funcs->create_handle) - ret = fb->funcs->create_handle(fb, file_priv, &r->handle); - else + if (fb->funcs->create_handle) { + if (file_priv->is_master || capable(CAP_SYS_ADMIN)) { + ret = fb->funcs->create_handle(fb, file_priv, + &r->handle); + } else { + /* GET_FB() is an unprivileged ioctl so we must not + * return a buffer-handle to non-master processes! For + * backwards-compatibility reasons, we cannot make + * GET_FB() privileged, so just return an invalid handle + * for non-masters. */ + r->handle = 0; + ret = 0; + } + } else { ret = -ENODEV; + } drm_framebuffer_unreference(fb);