From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?windows-1252?Q?Christian_K=F6nig?= Subject: Re: [PATCH 2/5] drm/radeon: add userptr flag to limit it to anonymous memory v2 Date: Wed, 06 Aug 2014 19:17:25 +0200 Message-ID: <53E26325.8070309@vodafone.de> References: <1407254732-8332-1-git-send-email-deathsimple@vodafone.de> <1407254732-8332-2-git-send-email-deathsimple@vodafone.de> <20140805173932.GA2854@gmail.com> <53E11831.1010809@vodafone.de> <20140805221334.GA3991@gmail.com> <53E1D160.4040804@vodafone.de> <20140806160847.GA3142@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="windows-1252"; Format="flowed" Content-Transfer-Encoding: quoted-printable Return-path: Received: from pegasos-out.vodafone.de (pegasos-out.vodafone.de [80.84.1.38]) by gabe.freedesktop.org (Postfix) with ESMTP id 04D6A6E2A7 for ; Wed, 6 Aug 2014 10:18:02 -0700 (PDT) In-Reply-To: <20140806160847.GA3142@gmail.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: Jerome Glisse Cc: dri-devel@lists.freedesktop.org List-Id: dri-devel@lists.freedesktop.org Am 06.08.2014 um 18:08 schrieb Jerome Glisse: > On Wed, Aug 06, 2014 at 08:55:28AM +0200, Christian K=F6nig wrote: >> Am 06.08.2014 um 00:13 schrieb Jerome Glisse: >>> On Tue, Aug 05, 2014 at 07:45:21PM +0200, Christian K=F6nig wrote: >>>> Am 05.08.2014 um 19:39 schrieb Jerome Glisse: >>>>> On Tue, Aug 05, 2014 at 06:05:29PM +0200, Christian K=F6nig wrote: >>>>>> From: Christian K=F6nig >>>>>> >>>>>> Avoid problems with writeback by limiting userptr to anonymous memor= y. >>>>>> >>>>>> v2: add commit and code comments >>>>> I guess, i have not expressed myself clearly. This is bogus, you pret= end >>>>> you want to avoid writeback issue but you still allow userspace to map >>>>> file backed pages (which by the way might be a regular bo object from >>>>> another device for instance and that would be fun). >>>>> >>>>> So this patch is a no go and i would rather see that this userptr to >>>>> be restricted to anon vma only no matter what. No flags here. >>>> Mapping of non anonymous memory (e.g. everything get_user_pages won't = fail >>>> with) is restricted to read only access by the GPU. >>>> >>>> I'm fine with making it a hard requirement for all mappings if you say= it's >>>> a must have. >>>> >>> Well for time being you should force read only. The way you implement w= rite >>> is broken. Here is how it can abuse to allow write to a file backed mma= p. >>> >>> mmap(fixaddress,fixedsize,NOFD) >>> userptr_ioctl(fixedaddress, RADEON_GEM_USERPTR_ANONONLY) >>> // bo is created successfully because fixedaddress is part of anonvma >>> munmap(fixedaddress,fixedsize) >>> // radeon get mmu_notifier_range_start callback and unbind page from the >>> // bo but radeon does not know there was an unmap. >>> mmap(fixaddress,fixedsize,fd_to_this_read_only_file_i_want_to_write_to) >>> radeon_ioctl_use_my_userptrbo >>> // bo is bind again by radeon and because all flag are set at creation >>> // it is map with write permission allowing someone to write to a file >>> // that might be read only for the user. >>> // >>> // Script kiddies it's time to learn about gpu ... >>> >>> Of course if you this patch (kind of selling my own junk here) : >>> >>> http://www.spinics.net/lists/linux-mm/msg75878.html >>> >>> then you could know inside the range_start that you should remove the >>> write permission and that it should be rechecked on next bind. >>> >>> Note that i have not read much of your code so maybe you handle this >>> case somehow. >> I've stumbled over this attack vector as well and it's the reason why I'= ve >> moved checking the access rights to the bind callback instead of BO crea= tion >> time with V5 of the patch. >> >> This way you get an -EFAULT if you try something like this on command >> submission time. > So you seem immune to that issue but you are still not checking if the an= on > vma is writeable which you should again security concern here. We check the access rights of the pointer using: > if (!access_ok(write ? VERIFY_WRITE : VERIFY_READ, = > (long)gtt->userptr, > ttm->num_pages * PAGE_SIZE)) > return -EFAULT; Shouldn't that be enough? Christian. > > Cheers, > J=E9r=F4me