lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Mon, 18 Jan 2010 13:54:17 +0100
From:	Luca Tettamanti <kronos.it@...il.com>
To:	Jerome Glisse <jglisse@...hat.com>
Cc:	airlied@...il.com, linux-kernel@...r.kernel.org,
	dri-devel@...ts.sf.net
Subject: Re: [PATCH] drm/radeon: r6xx/r7xx possible security issue, system ram 
	access

On Mon, Jan 18, 2010 at 1:01 PM, Jerome Glisse <jglisse@...hat.com> wrote:
> This patch workaround a possible security issue which can allow
> user to abuse drm on r6xx/r7xx hw to access any system ram memory.
[...]
> diff --git a/drivers/gpu/drm/radeon/r600_cs.c b/drivers/gpu/drm/radeon/r600_cs.c
> index 44060b9..edafc7b 100644
> --- a/drivers/gpu/drm/radeon/r600_cs.c
> +++ b/drivers/gpu/drm/radeon/r600_cs.c
> @@ -503,9 +531,61 @@ static int r600_packet3_check(struct radeon_cs_parser *p,
>                for (i = 0; i < pkt->count; i++) {
>                        reg = start_reg + (4 * i);
>                        switch (reg) {
> +                       /* This register were added late, there is userspace
> +                        * which does provide relocation for those but set
> +                        * 0 offset. In order to avoid breaking old userspace
> +                        * we detect this and set address to point to last
> +                        * CB_COLOR0_BASE, note that if userspace doesn't set
> +                        * CB_COLOR0_BASE before this register we will report
> +                        * error. Old userspace always set CB_COLOR0_BASE
> +                        * before any of this.
> +                        */
> +                       case R_0280E0_CB_COLOR0_FRAG:
> +                       case R_0280E4_CB_COLOR1_FRAG:
> +                       case R_0280E8_CB_COLOR2_FRAG:
> +                       case R_0280EC_CB_COLOR3_FRAG:
> +                       case R_0280F0_CB_COLOR4_FRAG:
> +                       case R_0280F4_CB_COLOR5_FRAG:
> +                       case R_0280F8_CB_COLOR6_FRAG:
> +                       case R_0280FC_CB_COLOR7_FRAG:
> +                       case R_0280C0_CB_COLOR0_TILE:
> +                       case R_0280C4_CB_COLOR1_TILE:
> +                       case R_0280C8_CB_COLOR2_TILE:
> +                       case R_0280CC_CB_COLOR3_TILE:
> +                       case R_0280D0_CB_COLOR4_TILE:
> +                       case R_0280D4_CB_COLOR5_TILE:
> +                       case R_0280D8_CB_COLOR6_TILE:
> +                       case R_0280DC_CB_COLOR7_TILE:
> +                               if (!r600_cs_packet_next_is_pkt3_nop(p)) {
> +                                       if (!track->cb_color0_base_last) {
> +                                               dev_err(p->dev, "Broken old userspace ? no cb_color0_base supplied"
> +                                                       "before trying to write 0x%08X\n", reg);

Cosmetic issue: a space is missing between "supplied" and "before".

Luca

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ