From mboxrd@z Thu Jan 1 00:00:00 1970 From: Thomas Hellstrom Subject: Re: [PATCH] drm: Fix an unwanted master inheritance Date: Mon, 30 Nov 2015 16:27:50 +0100 Message-ID: <565C6AF6.70000@vmware.com> References: <1448887461-3175-1-git-send-email-thellstrom@vmware.com> <20151130150019.GW17050@phenom.ffwll.local> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="------------030402060700090300080302" Return-path: Received: from smtp-outbound-1.vmware.com (smtp-outbound-1.vmware.com [208.91.2.12]) by gabe.freedesktop.org (Postfix) with ESMTPS id 7E5C16E5F7 for ; Mon, 30 Nov 2015 07:27:56 -0800 (PST) In-Reply-To: <20151130150019.GW17050@phenom.ffwll.local> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: Daniel Vetter Cc: pv-drivers@vmware.com, linux-graphics-maintainer@vmware.com, dri-devel@lists.freedesktop.org List-Id: dri-devel@lists.freedesktop.org --------------030402060700090300080302 Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable Hi, On 11/30/2015 04:00 PM, Daniel Vetter wrote: > On Mon, Nov 30, 2015 at 04:44:21AM -0800, Thomas Hellstrom wrote: >> A client calling drmSetMaster() using a file descriptor that was opene= d >> when another client was master would inherit the latter client's maste= r >> object and all it's authenticated clients. >> >> This is unwanted behaviour, and when this happens, instead allocate a >> brand new master object for the client calling drmSetMaster(). >> >> Signed-off-by: Thomas Hellstrom > Imo makes sense. It would be great to have a testcase for this, and for= > non-kms stuff igt now has support for generic testcases that can be run= on > any driver. See for example intel-gpu-tools/tests/core_get_auth_client.= c. > > I or Daniel Stone can help out (on irc or mail) with that. > -Daniel Given that this crashes the kernel by vmwgfx throwing a BUG on some versions of SLE, while probably all other drivers don't care, except that it's a security issue, A generic test case involving DRM clients leaking information between master realms would unfortunately be too resource consuming to put together for our minimal driver team ;). Although I used the attached C program run as root to trigger the behavior and unconditional kernel crash on vmwgfx. On the affected SLE versions, fd1 would represent Xorg, fd2 would represent plymouthd. /Thomas --------------030402060700090300080302 Content-Type: text/x-csrc; name="drm_master_bug.c" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="drm_master_bug.c" #include #include #include #include #include #include #include int main() { int fd1, fd2; fd1 =3D open("/dev/dri/card0", O_RDWR); if (fd1 < 0) exit(-1); fd2 =3D open("/dev/dri/card0", O_RDWR); if (fd2 < 0) exit(-1); (void) drmDropMaster(fd1); (void) drmSetMaster(fd2); close(fd2); close(fd1); } --------------030402060700090300080302 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KZHJpLWRldmVs IG1haWxpbmcgbGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRlc2t0b3Aub3JnCmh0dHA6Ly9saXN0 cy5mcmVlZGVza3RvcC5vcmcvbWFpbG1hbi9saXN0aW5mby9kcmktZGV2ZWwK --------------030402060700090300080302--