1. 05 Feb, 2010 3 commits
  2. 01 Feb, 2010 16 commits
  3. 25 Jan, 2010 13 commits
  4. 24 Jan, 2010 5 commits
  5. 20 Jan, 2010 3 commits
    • Jerome Glisse's avatar
      drm/radeon: r6xx/r7xx possible security issue, system ram access · c8c15ff1
      Jerome Glisse authored
      This patch workaround a possible security issue which can allow
      user to abuse drm on r6xx/r7xx hw to access any system ram memory.
      This patch doesn't break userspace, it detect "valid" old use of
      CB_COLOR[0-7]_FRAG & CB_COLOR[0-7]_TILE registers and overwritte
      the address these registers are pointing to with the one of the
      last color buffer. This workaround will work for old mesa &
      xf86-video-ati and any old user which did use similar register
      programming pattern as those (we expect that there is no others
      user of those ioctl except possibly a malicious one). This patch
      add a warning if it detects such usage, warning encourage people
      to update their mesa & xf86-video-ati. New userspace will submit
      proper relocation.
      
      Fix for xf86-video-ati / mesa (this kernel patch is enough to
      prevent abuse, fix for userspace are to set proper cs stream and
      avoid kernel warning) :
      http://cgit.freedesktop.org/xorg/driver/xf86-video-ati/commit/?id=95d63e408cc88b6934bec84a0b1ef94dfe8bee7b
      http://cgit.freedesktop.org/mesa/mesa/commit/?id=46dc6fd3ed5ef96cda53641a97bc68c3bc104a9f
      
      Abusing this register to perform system ram memory is not easy,
      here is outline on how it could be achieve. First attacker must
      have access to the drm device and be able to submit command stream
      throught cs ioctl. Then attacker must build a proper command stream
      for r6xx/r7xx hw which will abuse the FRAG or TILE buffer to
      overwrite the GPU GART which is in VRAM. To achieve so attacker
      as to setup CB_COLOR[0-7]_FRAG or CB_COLOR[0-7]_TILE to point
      to the GPU GART, then it has to find a way to write predictable
      value into those buffer (with little cleverness i believe this
      can be done but this is an hard task). Once attacker have such
      program it can overwritte GPU GART to program GPU gart to point
      anywhere in system memory. It then can reusse same method as he
      used to reprogram GART to overwritte the system ram through the
      GART mapping. In the process the attacker has to be carefull to
      not overwritte any sensitive area of the GART table, like ring
      or IB gart entry as it will more then likely lead to GPU lockup.
      Bottom line is that i think it's very hard to use this flaw
      to get system ram access but in theory one can achieve so.
      
      Side note: I am not aware of anyone ever using the GPU as an
      attack vector, nevertheless we take great care in the opensource
      driver to try to detect and forbid malicious use of GPU. I don't
      think the closed source driver are as cautious as we are.
      Signed-off-by: default avatarJerome Glisse <jglisse@redhat.com>
      Signed-off-by: default avatarDave Airlie <airlied@linux.ie>
      c8c15ff1
    • Jerome Glisse's avatar
      drm/radeon/kms: r600/r700 don't test ib if ib initialization fails · db96380e
      Jerome Glisse authored
      If ib initialization failed don't try to test ib as it will result
      in an oops (accessing NULL ib buffer ptr).
      Signed-off-by: default avatarJerome Glisse <jglisse@redhat.com>
      Signed-off-by: default avatarDave Airlie <airlied@linux.ie>
      db96380e
    • Jerome Glisse's avatar
      drm/radeon/kms: Forbid creation of framebuffer with no valid GEM object · 7e71c9e2
      Jerome Glisse authored
      This will avoid oops if at later point the fb is use. Trying to create
      a framebuffer with no valid GEM object is bogus and should be forbidden
      as this patch does.
      Signed-off-by: default avatarJerome Glisse <jglisse@redhat.com>
      Signed-off-by: default avatarDave Airlie <airlied@linux.ie>
      7e71c9e2