From: "Pali Rohár" <pali.rohar@gmail.com>
To: Greg KH <gregkh@linuxfoundation.org>, Pavel Machek <pavel@ucw.cz>
Cc: "Dan Carpenter" <dan.carpenter@oracle.com>,
"Ivajlo Dimitrov" <ivo.g.dimitrov.75@gmail.com>,
"Ивайло Димитров" <freemangordon@abv.bg>,
sre@ring0.de, omar.ramirez@copitl.com, tony@atomide.com,
felipe.contreras@gmail.com, s-anna@ti.com, nm@ti.com,
ohad@wizery.com, stable@vger.kernel.org,
linux-kernel@vger.kernel.org, nico@ngolde.de
Subject: Re: [patch] Staging: tidspbridge: make mmap root-only so it is not a security problem
Date: Sun, 1 Dec 2013 10:47:30 +0100 [thread overview]
Message-ID: <201312011047.30468@pali> (raw)
In-Reply-To: <20131201034501.GA10803@kroah.com>
[-- Attachment #1: Type: Text/Plain, Size: 2340 bytes --]
On Sunday 01 December 2013 04:45:01 Greg KH wrote:
> On Sat, Nov 30, 2013 at 11:58:23PM +0100, Pavel Machek wrote:
> > On Sat 2013-11-30 14:05:53, Greg KH wrote:
> > > On Sat, Nov 30, 2013 at 09:42:37PM +0100, Pavel Machek wrote:
> > > > mmap in tidspbridge is missing range-checks. For now,
> > > > make this interface root-only, so that it does not
> > > > cause security problems.
> > >
> > > Please fix this properly and don't paper over the real
> > > problem here.
> >
> > Well, if the driver is left uncompilable, I'm pretty sure it
> > will bitrot.
> >
> > I do have the hardware, but I'm pretty sure current mailine
> > does not have enough support to boot Maemo, so it is non
> > trivial for me to test changes here.
> >
> > And yes, I'd like to get N900 to better shape, but there's
> > more urgent work to do there. Such as "make sure N900 still
> > boots once omap moves away from device files".
> >
> > [It seems like check should be that
> >
> > vma->vm_pgoff << PAGE_SHIFT >= pdata->phys_mempool_base and
> > vma->vm_end - vma->vm_start + (vma->vm_pgoff << PAGE_SHIFT -
> > pdata->phys_mempool_base) <= pdata->phys_mempool_size .
> >
> > But... this is some kind of DSP coprocessor, and I am not
> > sure if just exposing its address space to untrusted
> > processes is good idea.
> >
> > Heck, are you sure this is security problem in the first
> > place? Yes, it is unchecked mmap. So what? If the device is
> > 600 root.root, and if the DSP can take over main system,
> >
> > if (!capable(CAP_SYS_RAWIO))
> >
> > return -EPERM;
>
> Will that break userspace? Who opens and mmaps this device?
> If you don't know if users do this, how can you say this
> patch isn't going to break things just as much as not having
> the driver there at all?
>
> thanks,
>
> greg k-h
Maemo and harmattan userspace using gst-dsp (gstreamer plugin)
for using tidspbridge. It opening /dev/DspBridge and then it calling:
mmap(NULL, seg->size, PROT_READ | PROT_WRITE, MAP_SHARED | 0x2000 /* MAP_LOCKED */, handle, seg->base_pa);
Because it is gstreamer plugin, every application can use it (under non root too).
Can you check if above problematic kernel code is what this gst-dsp mmap calling?
--
Pali Rohár
pali.rohar@gmail.com
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
next prev parent reply other threads:[~2013-12-01 9:47 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-30 9:58 Staging: tidspbridge: disable driver Ivajlo Dimitrov
2013-11-30 16:20 ` Greg KH
2013-11-30 17:27 ` Tony Lindgren
2013-11-30 19:19 ` Pavel Machek
2013-11-30 19:49 ` Dan Carpenter
2013-11-30 20:42 ` [patch] Staging: tidspbridge: make mmap root-only so it is not a security problem Pavel Machek
2013-11-30 22:05 ` Greg KH
2013-11-30 22:58 ` Pavel Machek
2013-12-01 3:45 ` Greg KH
2013-12-01 9:47 ` Pali Rohár [this message]
2013-12-01 11:26 ` Pavel Machek
2013-12-01 11:33 ` Pali Rohár
2013-12-01 9:41 ` Pali Rohár
2013-12-01 9:58 ` Ивайло Димитров
2013-12-01 12:10 ` Pavel Machek
2013-12-01 12:27 ` Dan Carpenter
2013-12-01 18:14 ` Ivajlo Dimitrov
2013-12-01 18:57 ` Pavel Machek
2013-12-01 19:28 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201312011047.30468@pali \
--to=pali.rohar@gmail.com \
--cc=dan.carpenter@oracle.com \
--cc=felipe.contreras@gmail.com \
--cc=freemangordon@abv.bg \
--cc=gregkh@linuxfoundation.org \
--cc=ivo.g.dimitrov.75@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nico@ngolde.de \
--cc=nm@ti.com \
--cc=ohad@wizery.com \
--cc=omar.ramirez@copitl.com \
--cc=pavel@ucw.cz \
--cc=s-anna@ti.com \
--cc=sre@ring0.de \
--cc=stable@vger.kernel.org \
--cc=tony@atomide.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox