Re: [patch] Staging: tidspbridge: make mmap root-only so it is not a security problem

Sun, 01 Dec 2013 01:48:55 -0800 

On Sunday 01 December 2013 04:45:01 Greg KH wrote:
> On Sat, Nov 30, 2013 at 11:58:23PM +0100, Pavel Machek wrote:
> > On Sat 2013-11-30 14:05:53, Greg KH wrote:
> > > On Sat, Nov 30, 2013 at 09:42:37PM +0100, Pavel Machek wrote:
> > > > mmap in tidspbridge is missing range-checks. For now,
> > > > make this interface root-only, so that it does not
> > > > cause security problems.
> > > 
> > > Please fix this properly and don't paper over the real
> > > problem here.
> > 
> > Well, if the driver is left uncompilable, I'm pretty sure it
> > will bitrot.
> > 
> > I do have the hardware, but I'm pretty sure current mailine
> > does not have enough support to boot Maemo, so it is non
> > trivial for me to test changes here.
> > 
> > And yes, I'd like to get N900 to better shape, but there's
> > more urgent work to do there. Such as "make sure N900 still
> > boots once omap moves away from device files".
> > 
> > [It seems like check should be that
> > 
> > vma->vm_pgoff << PAGE_SHIFT >= pdata->phys_mempool_base and
> > vma->vm_end - vma->vm_start + (vma->vm_pgoff << PAGE_SHIFT -
> > pdata->phys_mempool_base) <= pdata->phys_mempool_size .
> > 
> > But... this is some kind of DSP coprocessor, and I am not
> > sure if just exposing its address space to untrusted
> > processes is good idea.
> > 
> > Heck, are you sure this is security problem in the first
> > place? Yes, it is unchecked mmap. So what? If the device is
> > 600 root.root, and if the DSP can take over main system,
> > 
> >         if (!capable(CAP_SYS_RAWIO))
> >         
> >                 return -EPERM;
> 
> Will that break userspace?  Who opens and mmaps this device? 
> If you don't know if users do this, how can you say this
> patch isn't going to break things just as much as not having
> the driver there at all?
> 
> thanks,
> 
> greg k-h

Maemo and harmattan userspace using gst-dsp (gstreamer plugin)
for using tidspbridge. It opening /dev/DspBridge and then it calling:

mmap(NULL, seg->size, PROT_READ | PROT_WRITE, MAP_SHARED | 0x2000 /* MAP_LOCKED 
*/, handle, seg->base_pa);

Because it is gstreamer plugin, every application can use it (under non root 
too).

Can you check if above problematic kernel code is what this gst-dsp mmap 
calling?

-- 
Pali Rohár
pali.ro...@gmail.com

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to