From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tvrtko Ursulin Subject: Re: [PATCH] drm/i915: Introduce mapping of user pages into video memory (userptr) ioctl Date: Mon, 03 Feb 2014 15:28:37 +0000 Message-ID: <52EFB5A5.3080502@linux.intel.com> References: <1390905261-5410-4-git-send-email-chris@chris-wilson.co.uk> <1390915006-16007-1-git-send-email-chris@chris-wilson.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by gabe.freedesktop.org (Postfix) with ESMTP id 7C464105756 for ; Mon, 3 Feb 2014 07:29:01 -0800 (PST) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: intel-gfx-bounces@lists.freedesktop.org Errors-To: intel-gfx-bounces@lists.freedesktop.org To: Daniel Vetter , Chris Wilson Cc: intel-gfx , Akash Goel List-Id: intel-gfx@lists.freedesktop.org On 01/29/2014 08:34 PM, Daniel Vetter wrote: > Actually I've found something else to complain about: > > On Tue, Jan 28, 2014 at 2:16 PM, Chris Wilson wrote: >> +#define I915_USERPTR_READ_ONLY 0x1 > > This smells like an insta-root-exploit: > 1. mmap /lib/ld-linux.so as read-only > 2. userptr bind that mmap'ed area as READ_ONLY > 3. blit exploit code over it > 4. profit > > I also don't see a way we could fix this, at least without the > hardware providing read-only modes in the ptes. Which also requires us > to actually trust it to follow them, even when they exists ... Would disallowing mapping of shared pages help and be acceptable considering intended use cases? Tvrtko