Re: [PATCH] drm: Fix an unwanted master inheritance

From: Thomas Hellstrom <thellstrom@vmware.com>
To: Daniel Vetter <daniel@ffwll.ch>
Cc: pv-drivers@vmware.com, linux-graphics-maintainer@vmware.com,
	dri-devel@lists.freedesktop.org
Subject: Re: [PATCH] drm: Fix an unwanted master inheritance
Date: Mon, 30 Nov 2015 16:27:50 +0100	[thread overview]
Message-ID: <565C6AF6.70000@vmware.com> (raw)
In-Reply-To: <20151130150019.GW17050@phenom.ffwll.local>

[-- Attachment #1: Type: text/plain, Size: 1409 bytes --]

Hi,

On 11/30/2015 04:00 PM, Daniel Vetter wrote:
> On Mon, Nov 30, 2015 at 04:44:21AM -0800, Thomas Hellstrom wrote:
>> A client calling drmSetMaster() using a file descriptor that was opened
>> when another client was master would inherit the latter client's master
>> object and all it's authenticated clients.
>>
>> This is unwanted behaviour, and when this happens, instead allocate a
>> brand new master object for the client calling drmSetMaster().
>>
>> Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
> Imo makes sense. It would be great to have a testcase for this, and for
> non-kms stuff igt now has support for generic testcases that can be run on
> any driver. See for example intel-gpu-tools/tests/core_get_auth_client.c.
>
> I or Daniel Stone can help out (on irc or mail) with that.
> -Daniel

Given that this crashes the kernel by vmwgfx throwing a BUG on some
versions of SLE,
while probably all other drivers don't care, except that it's a security
issue, A generic test case involving DRM clients leaking information
between master realms would unfortunately be too resource consuming to
put together for our minimal driver team ;).

Although I used the attached C program run as root to trigger the
behavior and unconditional kernel crash on vmwgfx. On the affected SLE
versions, fd1 would represent Xorg, fd2 would represent plymouthd.

/Thomas

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: drm_master_bug.c --]
[-- Type: text/x-csrc; name="drm_master_bug.c", Size: 441 bytes --]

#include <xf86drm.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>

int main()
{
    int fd1, fd2;

    fd1 = open("/dev/dri/card0", O_RDWR);
    if (fd1 < 0)
	exit(-1);

    fd2 = open("/dev/dri/card0", O_RDWR);
    if (fd2 < 0)
	exit(-1);

    (void) drmDropMaster(fd1);
    (void) drmSetMaster(fd2);

    close(fd2);
    close(fd1);
}

[-- Attachment #3: Type: text/plain, Size: 159 bytes --]

_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/dri-devel