"Frank C. Earl" wrote: > > On Monday 18 February 2002 12:07 pm, Keith Whitwell wrote: > > > The i810 has a security model that makes insecure commands in batch buffers > > into noops. Unfortunately there is a hole in the security model: you can > > emit a batch buffer with blit commands in it that blit insecure commands > > onto the ring, where they may then be executed... > > I didn't see that in the documentation. If it's only working from the > premise that the command stream is untrusted, it's supposed to stop operation > at that point. Since the ring buffers are supposed to be in system memory, > I'd have thought that if you controlled the buffers so that the rings are > NEVER accessable to the user from the driver they couldn't be used to ammend > commands to it (real memory access...) with a batch buffer. I'll re-read > things since you're claiming different from what I got from it.
The rings are in agp space. It's a bug in the security model of the i810, it's arcane, but believe me it's real. > > In addition to unmapping the buffer, the i810 kernel module emits commands > > into the buffer itself, ensuring that the data can only be interpreted as > > vertices. Eg, imagine receiving a buffer full of bogus commands from a > > spoofing app - the kernel module unmaps it from userspace, then writes at > > the top of the buffer a command that says: "emit the next 4096 (or > > whatever) bytes as a tristrip". No commands from the app can ever be > > executed. > > If the commands don't allow any access to anything system memory-wise (which > is what you're doing in the command to start the buffer) then they can't > overwrite anything or be used to snag memory that doesn't belong to the app. > I'd have to double check the source code- I didn't see anything that parsed > vertex info into DMA commands in the driver layer. I'd expect that if it's > entirely as you claim it is. Let me try to summarize: There are commands that access the system memory, but you can only emit them from the ring. You can get them onto the ring via the blitter from batch buffers. Unless the batch buffers are unmapped from userspace after they are submitted to the ring, an untrusted app can overwrite them with the blit-to-ring commands while they are queued for execution. Keith _______________________________________________ Dri-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/dri-devel
