drm/vmwgfx: Tighten security around surface sharing v2

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

If using legacy (non-prime) surface sharing, only allow surfaces
to be shared between clients with the same master. This will block
malicious clients from peeking at contents at surfaces from other
(possibly vt-switched) masters.

v2:
s/legacy_client/primary_client/

Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>

Thomas Hellstrom 12 years ago 6d10aab8 adebcb20

+24

1 changed file

expand all

drivers

gpu

drm

vmwgfx

vmwgfx_surface.c

+24

drivers/gpu/drm/vmwgfx/vmwgfx_surface.c

··· 36 36 * @base: The TTM base object handling user-space visibility. 37 37 * @srf: The surface metadata. 38 38 * @size: TTM accounting size for the surface. 39 + * @master: master of the creating client. Used for security check. 39 40 */ 40 41 struct vmw_user_surface { 41 42 struct ttm_prime_object prime; 42 43 struct vmw_surface srf; 43 44 uint32_t size; 45 + struct drm_master *master; 44 46 }; 45 47 46 48 /** ··· 626 624 struct vmw_private *dev_priv = srf->res.dev_priv; 627 625 uint32_t size = user_srf->size; 628 626 627 + if (user_srf->master) 628 + drm_master_put(&user_srf->master); 629 629 kfree(srf->offsets); 630 630 kfree(srf->sizes); 631 631 kfree(srf->snooper.image); ··· 823 819 824 820 user_srf->prime.base.shareable = false; 825 821 user_srf->prime.base.tfile = NULL; 822 + if (drm_is_primary_client(file_priv)) 823 + user_srf->master = drm_master_get(file_priv->master); 826 824 827 825 /** 828 826 * From this point, the generic resource management functions ··· 891 885 struct ttm_base_object **base_p) 892 886 { 893 887 struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile; 888 + struct vmw_user_surface *user_srf; 894 889 uint32_t handle; 895 890 struct ttm_base_object *base; 896 891 int ret; ··· 922 915 } 923 916 924 917 if (handle_type != DRM_VMW_HANDLE_PRIME) { 918 + user_srf = container_of(base, struct vmw_user_surface, 919 + prime.base); 920 + 921 + /* 922 + * Make sure the surface creator has the same 923 + * authenticating master. 924 + */ 925 + if (drm_is_primary_client(file_priv) && 926 + user_srf->master != file_priv->master) { 927 + DRM_ERROR("Trying to reference surface outside of" 928 + " master domain.\n"); 929 + ret = -EACCES; 930 + goto out_bad_resource; 931 + } 932 + 925 933 ret = ttm_ref_object_add(tfile, base, TTM_REF_USAGE, NULL); 926 934 if (unlikely(ret != 0)) { 927 935 DRM_ERROR("Could not add a reference to a surface.\n"); ··· 1295 1273 1296 1274 user_srf->prime.base.shareable = false; 1297 1275 user_srf->prime.base.tfile = NULL; 1276 + if (drm_is_primary_client(file_priv)) 1277 + user_srf->master = drm_master_get(file_priv->master); 1298 1278 1299 1279 /** 1300 1280 * From this point, the generic resource management functions