From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jerome Glisse <j.glisse@gmail.com>
Subject: Re: [PATCH 2/5] drm/radeon: add userptr flag to limit it to
 anonymous memory v2
Date: Wed, 6 Aug 2014 14:34:16 -0400
Message-ID: <20140806183415.GA4716@gmail.com>
References: <1407254732-8332-1-git-send-email-deathsimple@vodafone.de>
 <1407254732-8332-2-git-send-email-deathsimple@vodafone.de>
 <20140805173932.GA2854@gmail.com> <53E11831.1010809@vodafone.de>
 <20140805221334.GA3991@gmail.com> <53E1D160.4040804@vodafone.de>
 <20140806160847.GA3142@gmail.com> <53E26325.8070309@vodafone.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <dri-devel-bounces@lists.freedesktop.org>
Received: from mail-qa0-f46.google.com (mail-qa0-f46.google.com
 [209.85.216.46])
 by gabe.freedesktop.org (Postfix) with ESMTP id 98AC56E308
 for <dri-devel@lists.freedesktop.org>; Wed,  6 Aug 2014 11:40:54 -0700 (PDT)
Received: by mail-qa0-f46.google.com with SMTP id v10so2888572qac.5
 for <dri-devel@lists.freedesktop.org>; Wed, 06 Aug 2014 11:40:54 -0700 (PDT)
Content-Disposition: inline
In-Reply-To: <53E26325.8070309@vodafone.de>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
To: Christian =?iso-8859-1?Q?K=F6nig?= <deathsimple@vodafone.de>
Cc: dri-devel@lists.freedesktop.org
List-Id: dri-devel@lists.freedesktop.org

On Wed, Aug 06, 2014 at 07:17:25PM +0200, Christian K=F6nig wrote:
> Am 06.08.2014 um 18:08 schrieb Jerome Glisse:
> >On Wed, Aug 06, 2014 at 08:55:28AM +0200, Christian K=F6nig wrote:
> >>Am 06.08.2014 um 00:13 schrieb Jerome Glisse:
> >>>On Tue, Aug 05, 2014 at 07:45:21PM +0200, Christian K=F6nig wrote:
> >>>>Am 05.08.2014 um 19:39 schrieb Jerome Glisse:
> >>>>>On Tue, Aug 05, 2014 at 06:05:29PM +0200, Christian K=F6nig wrote:
> >>>>>>From: Christian K=F6nig <christian.koenig@amd.com>
> >>>>>>
> >>>>>>Avoid problems with writeback by limiting userptr to anonymous memo=
ry.
> >>>>>>
> >>>>>>v2: add commit and code comments
> >>>>>I guess, i have not expressed myself clearly. This is bogus, you pre=
tend
> >>>>>you want to avoid writeback issue but you still allow userspace to m=
ap
> >>>>>file backed pages (which by the way might be a regular bo object from
> >>>>>another device for instance and that would be fun).
> >>>>>
> >>>>>So this patch is a no go and i would rather see that this userptr to
> >>>>>be restricted to anon vma only no matter what. No flags here.
> >>>>Mapping of non anonymous memory (e.g. everything get_user_pages won't=
 fail
> >>>>with) is restricted to read only access by the GPU.
> >>>>
> >>>>I'm fine with making it a hard requirement for all mappings if you sa=
y it's
> >>>>a must have.
> >>>>
> >>>Well for time being you should force read only. The way you implement =
write
> >>>is broken. Here is how it can abuse to allow write to a file backed mm=
ap.
> >>>
> >>>mmap(fixaddress,fixedsize,NOFD)
> >>>userptr_ioctl(fixedaddress, RADEON_GEM_USERPTR_ANONONLY)
> >>>// bo is created successfully because fixedaddress is part of anonvma
> >>>munmap(fixedaddress,fixedsize)
> >>>// radeon get mmu_notifier_range_start callback and unbind page from t=
he
> >>>// bo but radeon does not know there was an unmap.
> >>>mmap(fixaddress,fixedsize,fd_to_this_read_only_file_i_want_to_write_to)
> >>>radeon_ioctl_use_my_userptrbo
> >>>// bo is bind again by radeon and because all flag are set at creation
> >>>// it is map with write permission allowing someone to write to a file
> >>>// that might be read only for the user.
> >>>//
> >>>// Script kiddies it's time to learn about gpu ...
> >>>
> >>>Of course if you this patch (kind of selling my own junk here) :
> >>>
> >>>http://www.spinics.net/lists/linux-mm/msg75878.html
> >>>
> >>>then you could know inside the range_start that you should remove the
> >>>write permission and that it should be rechecked on next bind.
> >>>
> >>>Note that i have not read much of your code so maybe you handle this
> >>>case somehow.
> >>I've stumbled over this attack vector as well and it's the reason why I=
've
> >>moved checking the access rights to the bind callback instead of BO cre=
ation
> >>time with V5 of the patch.
> >>
> >>This way you get an -EFAULT if you try something like this on command
> >>submission time.
> >So you seem immune to that issue but you are still not checking if the a=
non
> >vma is writeable which you should again security concern here.
> =

> We check the access rights of the pointer using:
> >        if (!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
> >(long)gtt->userptr,
> >                       ttm->num_pages * PAGE_SIZE))
> >                return -EFAULT;
> =

> Shouldn't that be enough?

No, access_ok only check against special area on some architecture and i am
pretty sure on x86 the VERIFY_WRITE or VERIFY_READ is just flat out ignored.

What you need to test is the vma vm_flags somethings like

if (write && !(vma->vm_flags VM_WRITE))
   return -EPERM;

Which need to happen on all bind.

Cheers,
J=E9r=F4me

> =

> Christian.
> =

> >
> >Cheers,
> >J=E9r=F4me
> =