From: "Pali Rohár" <pali.rohar@gmail.com>
To: Greg KH <gregkh@linuxfoundation.org>, Pavel Machek <pavel@ucw.cz>
Cc: "Dan Carpenter" <dan.carpenter@oracle.com>,
"Ivajlo Dimitrov" <ivo.g.dimitrov.75@gmail.com>,
"Ивайло Димитров" <freemangordon@abv.bg>,
sre@ring0.de, omar.ramirez@copitl.com, tony@atomide.com,
felipe.contreras@gmail.com, s-anna@ti.com, nm@ti.com,
ohad@wizery.com, stable@vger.kernel.org,
linux-kernel@vger.kernel.org, nico@ngolde.de
Subject: Re: [patch] Staging: tidspbridge: make mmap root-only so it is not a security problem
Date: Sun, 1 Dec 2013 10:47:30 +0100 [thread overview]
Message-ID: <201312011047.30468@pali> (raw)
In-Reply-To: <20131201034501.GA10803@kroah.com>
[-- Attachment #1: Type: Text/Plain, Size: 2340 bytes --]
On Sunday 01 December 2013 04:45:01 Greg KH wrote:
> On Sat, Nov 30, 2013 at 11:58:23PM +0100, Pavel Machek wrote:
> > On Sat 2013-11-30 14:05:53, Greg KH wrote:
> > > On Sat, Nov 30, 2013 at 09:42:37PM +0100, Pavel Machek wrote:
> > > > mmap in tidspbridge is missing range-checks. For now,
> > > > make this interface root-only, so that it does not
> > > > cause security problems.
> > >
> > > Please fix this properly and don't paper over the real
> > > problem here.
> >
> > Well, if the driver is left uncompilable, I'm pretty sure it
> > will bitrot.
> >
> > I do have the hardware, but I'm pretty sure current mailine
> > does not have enough support to boot Maemo, so it is non
> > trivial for me to test changes here.
> >
> > And yes, I'd like to get N900 to better shape, but there's
> > more urgent work to do there. Such as "make sure N900 still
> > boots once omap moves away from device files".
> >
> > [It seems like check should be that
> >
> > vma->vm_pgoff << PAGE_SHIFT >= pdata->phys_mempool_base and
> > vma->vm_end - vma->vm_start + (vma->vm_pgoff << PAGE_SHIFT -
> > pdata->phys_mempool_base) <= pdata->phys_mempool_size .
> >
> > But... this is some kind of DSP coprocessor, and I am not
> > sure if just exposing its address space to untrusted
> > processes is good idea.
> >
> > Heck, are you sure this is security problem in the first
> > place? Yes, it is unchecked mmap. So what? If the device is
> > 600 root.root, and if the DSP can take over main system,
> >
> > if (!capable(CAP_SYS_RAWIO))
> >
> > return -EPERM;
>
> Will that break userspace? Who opens and mmaps this device?
> If you don't know if users do this, how can you say this
> patch isn't going to break things just as much as not having
> the driver there at all?
>
> thanks,
>
> greg k-h
Maemo and harmattan userspace using gst-dsp (gstreamer plugin)
for using tidspbridge. It opening /dev/DspBridge and then it calling:
mmap(NULL, seg->size, PROT_READ | PROT_WRITE, MAP_SHARED | 0x2000 /* MAP_LOCKED */, handle, seg->base_pa);
Because it is gstreamer plugin, every application can use it (under non root too).
Can you check if above problematic kernel code is what this gst-dsp mmap calling?
--
Pali Rohár
pali.rohar@gmail.com
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
next prev parent reply other threads:[~2013-12-01 9:47 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-30 9:58 Staging: tidspbridge: disable driver Ivajlo Dimitrov
2013-11-30 16:20 ` Greg KH
2013-11-30 17:27 ` Tony Lindgren
2013-11-30 19:19 ` Pavel Machek
2013-11-30 19:49 ` Dan Carpenter
2013-11-30 20:42 ` [patch] Staging: tidspbridge: make mmap root-only so it is not a security problem Pavel Machek
2013-11-30 22:05 ` Greg KH
2013-11-30 22:58 ` Pavel Machek
2013-12-01 3:45 ` Greg KH
2013-12-01 9:47 ` Pali Rohár [this message]
2013-12-01 11:26 ` Pavel Machek
2013-12-01 11:33 ` Pali Rohár
2013-12-01 9:41 ` Pali Rohár
2013-12-01 9:58 ` Ивайло Димитров
2013-12-01 12:10 ` Pavel Machek
2013-12-01 12:27 ` Dan Carpenter
2013-12-01 18:14 ` Ivajlo Dimitrov
2013-12-01 18:57 ` Pavel Machek
2013-12-01 19:28 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201312011047.30468@pali \
--to=pali.rohar@gmail.com \
--cc=dan.carpenter@oracle.com \
--cc=felipe.contreras@gmail.com \
--cc=freemangordon@abv.bg \
--cc=gregkh@linuxfoundation.org \
--cc=ivo.g.dimitrov.75@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nico@ngolde.de \
--cc=nm@ti.com \
--cc=ohad@wizery.com \
--cc=omar.ramirez@copitl.com \
--cc=pavel@ucw.cz \
--cc=s-anna@ti.com \
--cc=sre@ring0.de \
--cc=stable@vger.kernel.org \
--cc=tony@atomide.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.