On Fre, 2003-02-14 at 17:42, John Bartoszewski wrote: > On Wed, Feb 12, 2003 at 08:19:35PM -0500, Mike A. Harris wrote: > > On Wed, 12 Feb 2003, John Bartoszewski wrote: > > > > Heard comments from whom? And what specific security problems? > > What source code files are these problems in? Or are they just > > what-if rumors? > > The sources at the time could not point me to any specific > reports, just that the had read them somewhere. > > Since then I have concluded that they were talking about the > 1999 paper: > http://dri.sourceforge.net/doc/security_low_level.html > > and specifically the possible ability of a DRI client to use DMA > to read and write anywhere in memory.
I can only talk about the Radeon and Rage128 DRI drivers. The only possibility I'm aware of to do something like that with those is to dispatch an indirect buffer with commands for the chip's command processor, which only root (i.e. normally the X server) can do. There is a potential problem though: all clients have all indirect buffers mapped and thus can read from and write to buffers other clients have allocated. This makes a DoS by crashing the chip relatively easy, but I think it would be very hard to exploit for system memory access, if at all possible. Also keep in mind that access to the DRI can be controlled via ownership and permissions of the /dev/dri/cardX devices. -- Earthling Michel Dänzer (MrCooper)/ Debian GNU/Linux (powerpc) developer XFree86 and DRI project member / CS student, Free Software enthusiast ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Dri-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/dri-devel