All of lore.kernel.org
 help / color / mirror / Atom feed
From: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
To: David Herrmann <dh.herrmann@gmail.com>
Cc: intel-gfx <intel-gfx@lists.freedesktop.org>,
	dri-devel <dri-devel@lists.freedesktop.org>
Subject: Re: [PATCH 1/2] drm/core: Preserve the framebuffer after removing it.
Date: Tue, 22 Sep 2015 16:21:10 +0100	[thread overview]
Message-ID: <560171E6.7090502@linux.intel.com> (raw)
In-Reply-To: <CANq1E4RJXrwqCsxt6+Y1ckB3JkRMBmvKiRqAWyO-qB8mWSiM-w@mail.gmail.com>


On 09/22/2015 03:53 PM, David Herrmann wrote:
> Hi
>
> On Thu, Sep 10, 2015 at 12:15 PM, Tvrtko Ursulin
> <tvrtko.ursulin@linux.intel.com> wrote:
>> On 09/10/2015 10:56 AM, Daniel Vetter wrote:
>>> That's not different from the compositor just freezing instead of
>>> crashing: Screen contents stays on and nothing happens. Imo this really is
>>> all just broken userspace, and the kernel can't make sure userspace
>>> doesn't randomly fall over.
>>>
>>> What we need to make sure is that assuming things work ok-ish there's no
>>> observed regression. And I still think that's the case here.
>>
>>
>> I would disagree on the no regressions when things work okay-ish principle,
>> there should be no regressions in the pessimistic scenario when security is
>> concerned.
>>
>> If we can agree the stuck frame on screen is not desirable from the security
>> point of view, then this change does enlarge the attack surface.
>>
>> Because, apart from freezing the compositor, it now also works to crash it
>> and prevent restart. Maybe it is far fetched, but as I said, attackers have
>> much better imagination with these things.
>
> I'd much more prefer a FB flag that forces a modeset on ID removal.
> Anyone who cares for it can set it, and the kernel will make sure to
> never keep such FBs around. However, for most use-cases, we want the
> FB to stay around after close() or FB removal.
>
> Btw., I also don't see the attack scenario at all. If an attacker
> makes your compositor crash at the same moment a security-relevant
> information is shown on screen, then the information is already
> visible. Who cares that it stays visible? Sure, I can make up an
> hypothetical use-case where that matters, but I cannot think of
> something real.
> Also, if the hypothetical scenario we go for is "if the compositor
> crashes", then I guess there's bigger problems than the FB content.

It allows losing control of the sensitive information in a new way and 
so by definition results in a less secure system.

Apparently for the goal of less flicker and easier userspace 
programming. Ie. avoiding the need for a back channel, apart from the 
fact back channel has now just been moved to the kernel.

I would recommend passing this by some more security conscious eyes.

Regards,

Tvrtko
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/intel-gfx

  reply	other threads:[~2015-09-22 15:21 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-09-09 14:40 [PATCH 0/2] Preserve framebuffer during rmfb / drm fd close Maarten Lankhorst
2015-09-09 14:40 ` [PATCH 1/2] drm/core: Preserve the framebuffer after removing it Maarten Lankhorst
2015-09-09 14:51   ` Tvrtko Ursulin
2015-09-09 15:04     ` [Intel-gfx] " Daniel Vetter
2015-09-09 15:18       ` Tvrtko Ursulin
2015-09-09 15:29         ` [Intel-gfx] " Daniel Vetter
2015-09-09 15:47           ` Tvrtko Ursulin
2015-09-09 15:56             ` [Intel-gfx] " Daniel Vetter
2015-09-09 16:03               ` Tvrtko Ursulin
2015-09-09 16:07                 ` Daniel Vetter
2015-09-09 16:15                   ` Tvrtko Ursulin
2015-09-09 16:26                     ` Maarten Lankhorst
2015-09-09 16:36                       ` Tvrtko Ursulin
2015-09-09 19:06                         ` [Intel-gfx] " Daniel Vetter
2015-09-10  9:07                           ` Tvrtko Ursulin
2015-09-10  9:56                             ` Daniel Vetter
2015-09-10 10:15                               ` Tvrtko Ursulin
2015-09-22 14:53                                 ` David Herrmann
2015-09-22 15:21                                   ` Tvrtko Ursulin [this message]
2015-10-01 16:04                                     ` [Intel-gfx] " Vincent ABRIOU
2015-09-09 15:02   ` Daniel Vetter
2015-09-22 14:43     ` David Herrmann
2015-09-09 14:40 ` [PATCH 2/2] drm/core: Preserve the fb id on close Maarten Lankhorst
2015-09-22 14:55   ` David Herrmann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=560171E6.7090502@linux.intel.com \
    --to=tvrtko.ursulin@linux.intel.com \
    --cc=dh.herrmann@gmail.com \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=intel-gfx@lists.freedesktop.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.