New compat_alloc_user_space() GPLness and fglrx

New compat_alloc_user_space() GPLness and fglrx

[Henrique de Moraes Holschuh]

commit c41d68a513c71e35a14f66d71782d27a79a81ea6
compat: Make compat_alloc_user_space() incorporate the access_ok()

promotes compat_alloc_user_space() to EXPORT_SYMBOL_GPL, and moves it from
asm/compat.h to linux/compat.h.

This breaks AMD/ATI's proprietary fglrx GPU driver, which wants to use
compat_alloc_user_space(), and expects to find it in asm/compat.h.

Fixing this on the fglrx side is easy enough, one can simply audit the two
or three call sites in the fglrx glue and make sure they can use
arch_compat_alloc_user_space() safely.

But such a fix doesn't look right.  IMHO, either we don't want any non-GPL
module touching *_compat_alloc_user_space and compat_alloc_user_space, or it
would be better to let them use compat_alloc_user_space() in the interest of
overall security...

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Re: New compat_alloc_user_space() GPLness and fglrx

[Arnd Bergmann]

On Saturday 18 September 2010 03:42:32 Henrique de Moraes Holschuh wrote:
> promotes compat_alloc_user_space() to EXPORT_SYMBOL_GPL, and moves it from
> asm/compat.h to linux/compat.h.
> 
> This breaks AMD/ATI's proprietary fglrx GPU driver, which wants to use
> compat_alloc_user_space(), and expects to find it in asm/compat.h.
> 
> Fixing this on the fglrx side is easy enough, one can simply audit the two
> or three call sites in the fglrx glue and make sure they can use
> arch_compat_alloc_user_space() safely.
> 
> But such a fix doesn't look right.  IMHO, either we don't want any non-GPL
> module touching *_compat_alloc_user_space and compat_alloc_user_space, or it
> would be better to let them use compat_alloc_user_space() in the interest of
> overall security...

Right, don't use arch_compat_alloc_user_space(), that would be worse.

compat_alloc_user_space is still a horrible hack and shouldn't be used
at all if possible. Just fix the code to either not require compat
ioctl handling or split out the common code from the native ioctl
function and pass it a kernel data structure, which you copy from user
space in different ways depending on where you come from.

	Arnd

Re: New compat_alloc_user_space() GPLness and fglrx

[Henrique de Moraes Holschuh]

On Sat, 18 Sep 2010, Arnd Bergmann wrote:
> On Saturday 18 September 2010 03:42:32 Henrique de Moraes Holschuh wrote:
> > promotes compat_alloc_user_space() to EXPORT_SYMBOL_GPL, and moves it from
> > asm/compat.h to linux/compat.h.
> > 
> > This breaks AMD/ATI's proprietary fglrx GPU driver, which wants to use
> > compat_alloc_user_space(), and expects to find it in asm/compat.h.
> > 
> > Fixing this on the fglrx side is easy enough, one can simply audit the two
> > or three call sites in the fglrx glue and make sure they can use
> > arch_compat_alloc_user_space() safely.
> > 
> > But such a fix doesn't look right.  IMHO, either we don't want any non-GPL
> > module touching *_compat_alloc_user_space and compat_alloc_user_space, or it
> > would be better to let them use compat_alloc_user_space() in the interest of
> > overall security...
> 
> Right, don't use arch_compat_alloc_user_space(), that would be worse.
> 
> compat_alloc_user_space is still a horrible hack and shouldn't be used
> at all if possible. Just fix the code to either not require compat
> ioctl handling or split out the common code from the native ioctl
> function and pass it a kernel data structure, which you copy from user
> space in different ways depending on where you come from.

Well, that means ATI needs to mess with the insides of their binary
blob... Anyone knows of a channel to talk to them?  Someone must tell
them about this, I am just an unwilling user of fglrx (R600 support in
the open drivers is nowhere near what I need yet).

Meanwhile, what is the solution?  Keep using (the newly named)
arch_compat_alloc_user_space()?

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Re: New compat_alloc_user_space() GPLness and fglrx

[Arnd Bergmann]

On Saturday 18 September 2010, Henrique de Moraes Holschuh wrote:
> Well, that means ATI needs to mess with the insides of their binary
> blob... Anyone knows of a channel to talk to them?  Someone must tell
> them about this, I am just an unwilling user of fglrx (R600 support in
> the open drivers is nowhere near what I need yet).
> 
> Meanwhile, what is the solution?  Keep using (the newly named)
> arch_compat_alloc_user_space()?

Since you don't know how that is used in the driver, that could
very well keep the security hole open as long as the driver is loaded.

You still have the obvious options that you won't like:

1. stay on an older (broken) kernel
2. don't use fglrx until this is fixed
3. copy the new compat_alloc_user_space as an inline function
   into the wrapper module (possibly making it undistributable)

	Arnd