public inbox for intel-gfx@lists.freedesktop.org
 help / color / mirror / Atom feed
From: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
To: David Herrmann <dh.herrmann@gmail.com>
Cc: intel-gfx <intel-gfx@lists.freedesktop.org>,
	dri-devel <dri-devel@lists.freedesktop.org>
Subject: Re: [PATCH 1/2] drm/core: Preserve the framebuffer after removing it.
Date: Tue, 22 Sep 2015 16:21:10 +0100	[thread overview]
Message-ID: <560171E6.7090502@linux.intel.com> (raw)
In-Reply-To: <CANq1E4RJXrwqCsxt6+Y1ckB3JkRMBmvKiRqAWyO-qB8mWSiM-w@mail.gmail.com>


On 09/22/2015 03:53 PM, David Herrmann wrote:
> Hi
>
> On Thu, Sep 10, 2015 at 12:15 PM, Tvrtko Ursulin
> <tvrtko.ursulin@linux.intel.com> wrote:
>> On 09/10/2015 10:56 AM, Daniel Vetter wrote:
>>> That's not different from the compositor just freezing instead of
>>> crashing: Screen contents stays on and nothing happens. Imo this really is
>>> all just broken userspace, and the kernel can't make sure userspace
>>> doesn't randomly fall over.
>>>
>>> What we need to make sure is that assuming things work ok-ish there's no
>>> observed regression. And I still think that's the case here.
>>
>>
>> I would disagree on the no regressions when things work okay-ish principle,
>> there should be no regressions in the pessimistic scenario when security is
>> concerned.
>>
>> If we can agree the stuck frame on screen is not desirable from the security
>> point of view, then this change does enlarge the attack surface.
>>
>> Because, apart from freezing the compositor, it now also works to crash it
>> and prevent restart. Maybe it is far fetched, but as I said, attackers have
>> much better imagination with these things.
>
> I'd much more prefer a FB flag that forces a modeset on ID removal.
> Anyone who cares for it can set it, and the kernel will make sure to
> never keep such FBs around. However, for most use-cases, we want the
> FB to stay around after close() or FB removal.
>
> Btw., I also don't see the attack scenario at all. If an attacker
> makes your compositor crash at the same moment a security-relevant
> information is shown on screen, then the information is already
> visible. Who cares that it stays visible? Sure, I can make up an
> hypothetical use-case where that matters, but I cannot think of
> something real.
> Also, if the hypothetical scenario we go for is "if the compositor
> crashes", then I guess there's bigger problems than the FB content.

It allows losing control of the sensitive information in a new way and 
so by definition results in a less secure system.

Apparently for the goal of less flicker and easier userspace 
programming. Ie. avoiding the need for a back channel, apart from the 
fact back channel has now just been moved to the kernel.

I would recommend passing this by some more security conscious eyes.

Regards,

Tvrtko
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/intel-gfx

  reply	other threads:[~2015-09-22 15:21 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-09-09 14:40 [PATCH 0/2] Preserve framebuffer during rmfb / drm fd close Maarten Lankhorst
2015-09-09 14:40 ` [PATCH 1/2] drm/core: Preserve the framebuffer after removing it Maarten Lankhorst
2015-09-09 14:51   ` Tvrtko Ursulin
2015-09-09 15:04     ` [Intel-gfx] " Daniel Vetter
2015-09-09 15:18       ` Tvrtko Ursulin
2015-09-09 15:29         ` [Intel-gfx] " Daniel Vetter
2015-09-09 15:47           ` Tvrtko Ursulin
2015-09-09 15:56             ` [Intel-gfx] " Daniel Vetter
2015-09-09 16:03               ` Tvrtko Ursulin
2015-09-09 16:07                 ` Daniel Vetter
2015-09-09 16:15                   ` Tvrtko Ursulin
2015-09-09 16:26                     ` Maarten Lankhorst
2015-09-09 16:36                       ` Tvrtko Ursulin
2015-09-09 19:06                         ` [Intel-gfx] " Daniel Vetter
2015-09-10  9:07                           ` Tvrtko Ursulin
2015-09-10  9:56                             ` Daniel Vetter
2015-09-10 10:15                               ` Tvrtko Ursulin
2015-09-22 14:53                                 ` David Herrmann
2015-09-22 15:21                                   ` Tvrtko Ursulin [this message]
2015-10-01 16:04                                     ` [Intel-gfx] " Vincent ABRIOU
2015-09-09 15:02   ` Daniel Vetter
2015-09-22 14:43     ` David Herrmann
2015-09-09 14:40 ` [PATCH 2/2] drm/core: Preserve the fb id on close Maarten Lankhorst
2015-09-22 14:55   ` David Herrmann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=560171E6.7090502@linux.intel.com \
    --to=tvrtko.ursulin@linux.intel.com \
    --cc=dh.herrmann@gmail.com \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=intel-gfx@lists.freedesktop.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox