forge/linux-pinenote
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
linux-pinenote/drivers/gpu/drm
History
Jerome Glisse c8c15ff1e9 drm/radeon: r6xx/r7xx possible security issue, system ram access 
This patch workaround a possible security issue which can allow
user to abuse drm on r6xx/r7xx hw to access any system ram memory.
This patch doesn't break userspace, it detect "valid" old use of
CB_COLOR[0-7]_FRAG & CB_COLOR[0-7]_TILE registers and overwritte
the address these registers are pointing to with the one of the
last color buffer. This workaround will work for old mesa &
xf86-video-ati and any old user which did use similar register
programming pattern as those (we expect that there is no others
user of those ioctl except possibly a malicious one). This patch
add a warning if it detects such usage, warning encourage people
to update their mesa & xf86-video-ati. New userspace will submit
proper relocation.

Fix for xf86-video-ati / mesa (this kernel patch is enough to
prevent abuse, fix for userspace are to set proper cs stream and
avoid kernel warning) :
http://cgit.freedesktop.org/xorg/driver/xf86-video-ati/commit/?id=95d63e408cc88b6934bec84a0b1ef94dfe8bee7b
http://cgit.freedesktop.org/mesa/mesa/commit/?id=46dc6fd3ed5ef96cda53641a97bc68c3bc104a9f

Abusing this register to perform system ram memory is not easy,
here is outline on how it could be achieve. First attacker must
have access to the drm device and be able to submit command stream
throught cs ioctl. Then attacker must build a proper command stream
for r6xx/r7xx hw which will abuse the FRAG or TILE buffer to
overwrite the GPU GART which is in VRAM. To achieve so attacker
as to setup CB_COLOR[0-7]_FRAG or CB_COLOR[0-7]_TILE to point
to the GPU GART, then it has to find a way to write predictable
value into those buffer (with little cleverness i believe this
can be done but this is an hard task). Once attacker have such
program it can overwritte GPU GART to program GPU gart to point
anywhere in system memory. It then can reusse same method as he
used to reprogram GART to overwritte the system ram through the
GART mapping. In the process the attacker has to be carefull to
not overwritte any sensitive area of the GART table, like ring
or IB gart entry as it will more then likely lead to GPU lockup.
Bottom line is that i think it's very hard to use this flaw
to get system ram access but in theory one can achieve so.

Side note: I am not aware of anyone ever using the GPU as an
attack vector, nevertheless we take great care in the opensource
driver to try to detect and forbid malicious use of GPU. I don't
think the closed source driver are as cautious as we are.

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@linux.ie>
2010-01-21 08:49:32 +10:00
..
i2c drm/nouveau: Add DRM driver for NVIDIA GPUs 2009-12-11 21:29:34 +10:00
i810 drm: convert drm_ioctl to unlocked_ioctl 2009-12-18 11:22:31 +10:00
i830 drm: convert drm_ioctl to unlocked_ioctl 2009-12-18 11:22:31 +10:00
i915 drm: convert drm_ioctl to unlocked_ioctl 2009-12-18 11:22:31 +10:00
mga drm: convert drm_ioctl to unlocked_ioctl 2009-12-18 11:22:31 +10:00
nouveau drm: convert drm_ioctl to unlocked_ioctl 2009-12-18 11:22:31 +10:00
r128 drm: convert drm_ioctl to unlocked_ioctl 2009-12-18 11:22:31 +10:00
radeon drm/radeon: r6xx/r7xx possible security issue, system ram access 2010-01-21 08:49:32 +10:00
savage drm: convert drm_ioctl to unlocked_ioctl 2009-12-18 11:22:31 +10:00
sis drm: convert drm_ioctl to unlocked_ioctl 2009-12-18 11:22:31 +10:00
tdfx drm: convert drm_ioctl to unlocked_ioctl 2009-12-18 11:22:31 +10:00
ttm drm/ttm: Fix memory type manager debug information printing 2009-12-16 15:36:26 +10:00
via drm: convert drm_ioctl to unlocked_ioctl 2009-12-18 11:22:31 +10:00
vmwgfx drm/vmwgfx: Use TTM handles instead of SIDs as user-space surface handles. 2009-12-23 10:06:24 +10:00
ati_pcigart.c drm/ati_pcigart: use memset_io to reset the memory 2009-03-13 14:24:14 +10:00
drm_agpsupport.c agp: switch AGP to use page array instead of unsigned long array 2009-06-19 10:21:42 +10:00
drm_auth.c drm: Remove memory debugging infrastructure. 2009-06-18 13:00:33 -07:00
drm_bufs.c drm: fix _DRM_GEM addmap error message 2009-09-18 14:34:06 +10:00
drm_cache.c drm: fix drm_cache.c for arch with no support. 2009-09-02 09:41:13 +10:00
drm_context.c drm: Remove memory debugging infrastructure. 2009-06-18 13:00:33 -07:00
drm_crtc.c drm: Add eDP connector type 2010-01-08 13:04:04 +10:00
drm_crtc_helper.c drm: disable all the possible outputs/crtcs before entering KMS mode 2009-12-09 13:28:07 +10:00
drm_debugfs.c drm: drm_debugfs, check kmalloc retval 2009-07-15 15:55:37 +10:00
drm_dma.c drm: Remove memory debugging infrastructure. 2009-06-18 13:00:33 -07:00
drm_dp_i2c_helper.c Merge remote branch 'anholt/drm-intel-next' into drm-linus 2009-12-08 14:03:47 +10:00
drm_drawable.c drm: Remove memory debugging infrastructure. 2009-06-18 13:00:33 -07:00
drm_drv.c drm: convert drm_ioctl to unlocked_ioctl 2009-12-18 11:22:31 +10:00
drm_edid.c drm/kms: silencing a false positive warning. 2009-12-23 10:09:09 +10:00
drm_encoder_slave.c drm: fixup include file in drm_encoder_slave 2009-08-13 13:31:54 +10:00
drm_fb_helper.c Merge branch 'drm-core-next' into drm-linus 2009-12-08 13:52:41 +10:00
drm_fops.c drm: Add support for drm master_[set|drop] callbacks. 2009-12-04 08:55:46 +10:00
drm_gem.c drm: make sure page protections are updated after changing vm_flags 2009-11-24 13:02:30 +10:00
drm_hashtab.c drm: Remove memory debugging infrastructure. 2009-06-18 13:00:33 -07:00
drm_info.c drm: merge Linux master into HEAD 2009-03-28 20:22:18 -04:00
drm_ioc32.c drm: convert drm_ioctl to unlocked_ioctl 2009-12-18 11:22:31 +10:00
drm_ioctl.c drm: Remove memory debugging infrastructure. 2009-06-18 13:00:33 -07:00
drm_irq.c drm: Avoid calling vblank function is vblank wasn't initialized 2010-01-08 13:12:09 +10:00
drm_lock.c drm: Avoid client deadlocks when the master disappears. 2009-03-03 09:50:20 +10:00
drm_memory.c agp: switch AGP to use page array instead of unsigned long array 2009-06-19 10:21:42 +10:00
drm_mm.c drm/mm: fix logic for selection of best fit block 2009-12-23 10:08:08 +10:00
drm_modes.c drm/modes: Add drm_mode_hsync() 2009-12-04 08:53:22 +10:00
drm_pci.c drm: Remove memory debugging infrastructure. 2009-06-18 13:00:33 -07:00
drm_proc.c drm: use proc_create_data() 2009-08-31 09:37:22 +10:00
drm_scatter.c drm: Remove memory debugging infrastructure. 2009-06-18 13:00:33 -07:00
drm_sman.c drm: Remove memory debugging infrastructure. 2009-06-18 13:00:33 -07:00
drm_stub.c drm: Export symbols needed for the vmwgfx driver. 2009-12-07 15:22:08 +10:00
drm_sysfs.c Merge branch 'drm-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6 2009-09-21 08:10:09 -07:00
drm_vm.c const: mark struct vm_struct_operations 2009-09-27 11:39:25 -07:00
Kconfig drm/i915: Select CONFIG_SHMEM 2009-11-25 12:27:42 -08:00
Makefile Merge remote branch 'korg/drm-vmware-staging' into drm-core-next 2009-12-18 09:53:50 +10:00
README.drm

README.drm 

************************************************************
* For the very latest on DRI development, please see:      *
*     http://dri.freedesktop.org/                          *
************************************************************

The Direct Rendering Manager (drm) is a device-independent kernel-level
device driver that provides support for the XFree86 Direct Rendering
Infrastructure (DRI).

The DRM supports the Direct Rendering Infrastructure (DRI) in four major
ways:

    1. The DRM provides synchronized access to the graphics hardware via
       the use of an optimized two-tiered lock.

    2. The DRM enforces the DRI security policy for access to the graphics
       hardware by only allowing authenticated X11 clients access to
       restricted regions of memory.

    3. The DRM provides a generic DMA engine, complete with multiple
       queues and the ability to detect the need for an OpenGL context
       switch.

    4. The DRM is extensible via the use of small device-specific modules
       that rely extensively on the API exported by the DRM module.


Documentation on the DRI is available from:
    http://dri.freedesktop.org/wiki/Documentation
    http://sourceforge.net/project/showfiles.php?group_id=387
    http://dri.sourceforge.net/doc/

For specific information about kernel-level support, see:

    The Direct Rendering Manager, Kernel Support for the Direct Rendering
    Infrastructure
    http://dri.sourceforge.net/doc/drm_low_level.html

    Hardware Locking for the Direct Rendering Infrastructure
    http://dri.sourceforge.net/doc/hardware_locking_low_level.html

    A Security Analysis of the Direct Rendering Infrastructure
    http://dri.sourceforge.net/doc/security_low_level.html