Re: [PATCH] drm/radeon: r6xx/r7xx possible security issue, system ram access

Mon, 18 Jan 2010 06:29:27 -0800 

On Mon, Jan 18, 2010 at 1:01 PM, Jerome Glisse <jgli...@redhat.com> wrote:
> This patch workaround a possible security issue which can allow
> user to abuse drm on r6xx/r7xx hw to access any system ram memory.
[...]
> diff --git a/drivers/gpu/drm/radeon/r600_cs.c 
> b/drivers/gpu/drm/radeon/r600_cs.c
> index 44060b9..edafc7b 100644
> --- a/drivers/gpu/drm/radeon/r600_cs.c
> +++ b/drivers/gpu/drm/radeon/r600_cs.c
> @@ -503,9 +531,61 @@ static int r600_packet3_check(struct radeon_cs_parser *p,
>                for (i = 0; i < pkt->count; i++) {
>                        reg = start_reg + (4 * i);
>                        switch (reg) {
> +                       /* This register were added late, there is userspace
> +                        * which does provide relocation for those but set
> +                        * 0 offset. In order to avoid breaking old userspace
> +                        * we detect this and set address to point to last
> +                        * CB_COLOR0_BASE, note that if userspace doesn't set
> +                        * CB_COLOR0_BASE before this register we will report
> +                        * error. Old userspace always set CB_COLOR0_BASE
> +                        * before any of this.
> +                        */
> +                       case R_0280E0_CB_COLOR0_FRAG:
> +                       case R_0280E4_CB_COLOR1_FRAG:
> +                       case R_0280E8_CB_COLOR2_FRAG:
> +                       case R_0280EC_CB_COLOR3_FRAG:
> +                       case R_0280F0_CB_COLOR4_FRAG:
> +                       case R_0280F4_CB_COLOR5_FRAG:
> +                       case R_0280F8_CB_COLOR6_FRAG:
> +                       case R_0280FC_CB_COLOR7_FRAG:
> +                       case R_0280C0_CB_COLOR0_TILE:
> +                       case R_0280C4_CB_COLOR1_TILE:
> +                       case R_0280C8_CB_COLOR2_TILE:
> +                       case R_0280CC_CB_COLOR3_TILE:
> +                       case R_0280D0_CB_COLOR4_TILE:
> +                       case R_0280D4_CB_COLOR5_TILE:
> +                       case R_0280D8_CB_COLOR6_TILE:
> +                       case R_0280DC_CB_COLOR7_TILE:
> +                               if (!r600_cs_packet_next_is_pkt3_nop(p)) {
> +                                       if (!track->cb_color0_base_last) {
> +                                               dev_err(p->dev, "Broken old 
> userspace ? no cb_color0_base supplied"
> +                                                       "before trying to 
> write 0x%08X\n", reg);

Cosmetic issue: a space is missing between "supplied" and "before".

Luca
------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
--
_______________________________________________
Dri-devel mailing list
Dri-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dri-devel

Reply via email to