diff options
author | Thomas Hellstrom <thellstrom@vmware.com> | 2014-03-19 05:45:11 -0400 |
---|---|---|
committer | Thomas Hellstrom <thellstrom@vmware.com> | 2014-03-28 09:19:03 -0400 |
commit | 6d10aab8f0658d624e5aafcd52b70afa23a75e5e (patch) | |
tree | 8ead3c5e0a3bacf4ff5eb3f876a9e880aa4f9d58 | |
parent | adebcb20e4ca9330a293c294e1f104edba21dbaf (diff) |
drm/vmwgfx: Tighten security around surface sharing v2
If using legacy (non-prime) surface sharing, only allow surfaces
to be shared between clients with the same master. This will block
malicious clients from peeking at contents at surfaces from other
(possibly vt-switched) masters.
v2:
s/legacy_client/primary_client/
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
-rw-r--r-- | drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c index d50cd76378c4..4ecdbf3e59da 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | |||
@@ -36,11 +36,13 @@ | |||
36 | * @base: The TTM base object handling user-space visibility. | 36 | * @base: The TTM base object handling user-space visibility. |
37 | * @srf: The surface metadata. | 37 | * @srf: The surface metadata. |
38 | * @size: TTM accounting size for the surface. | 38 | * @size: TTM accounting size for the surface. |
39 | * @master: master of the creating client. Used for security check. | ||
39 | */ | 40 | */ |
40 | struct vmw_user_surface { | 41 | struct vmw_user_surface { |
41 | struct ttm_prime_object prime; | 42 | struct ttm_prime_object prime; |
42 | struct vmw_surface srf; | 43 | struct vmw_surface srf; |
43 | uint32_t size; | 44 | uint32_t size; |
45 | struct drm_master *master; | ||
44 | }; | 46 | }; |
45 | 47 | ||
46 | /** | 48 | /** |
@@ -624,6 +626,8 @@ static void vmw_user_surface_free(struct vmw_resource *res) | |||
624 | struct vmw_private *dev_priv = srf->res.dev_priv; | 626 | struct vmw_private *dev_priv = srf->res.dev_priv; |
625 | uint32_t size = user_srf->size; | 627 | uint32_t size = user_srf->size; |
626 | 628 | ||
629 | if (user_srf->master) | ||
630 | drm_master_put(&user_srf->master); | ||
627 | kfree(srf->offsets); | 631 | kfree(srf->offsets); |
628 | kfree(srf->sizes); | 632 | kfree(srf->sizes); |
629 | kfree(srf->snooper.image); | 633 | kfree(srf->snooper.image); |
@@ -819,6 +823,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data, | |||
819 | 823 | ||
820 | user_srf->prime.base.shareable = false; | 824 | user_srf->prime.base.shareable = false; |
821 | user_srf->prime.base.tfile = NULL; | 825 | user_srf->prime.base.tfile = NULL; |
826 | if (drm_is_primary_client(file_priv)) | ||
827 | user_srf->master = drm_master_get(file_priv->master); | ||
822 | 828 | ||
823 | /** | 829 | /** |
824 | * From this point, the generic resource management functions | 830 | * From this point, the generic resource management functions |
@@ -885,6 +891,7 @@ vmw_surface_handle_reference(struct vmw_private *dev_priv, | |||
885 | struct ttm_base_object **base_p) | 891 | struct ttm_base_object **base_p) |
886 | { | 892 | { |
887 | struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile; | 893 | struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile; |
894 | struct vmw_user_surface *user_srf; | ||
888 | uint32_t handle; | 895 | uint32_t handle; |
889 | struct ttm_base_object *base; | 896 | struct ttm_base_object *base; |
890 | int ret; | 897 | int ret; |
@@ -915,6 +922,21 @@ vmw_surface_handle_reference(struct vmw_private *dev_priv, | |||
915 | } | 922 | } |
916 | 923 | ||
917 | if (handle_type != DRM_VMW_HANDLE_PRIME) { | 924 | if (handle_type != DRM_VMW_HANDLE_PRIME) { |
925 | user_srf = container_of(base, struct vmw_user_surface, | ||
926 | prime.base); | ||
927 | |||
928 | /* | ||
929 | * Make sure the surface creator has the same | ||
930 | * authenticating master. | ||
931 | */ | ||
932 | if (drm_is_primary_client(file_priv) && | ||
933 | user_srf->master != file_priv->master) { | ||
934 | DRM_ERROR("Trying to reference surface outside of" | ||
935 | " master domain.\n"); | ||
936 | ret = -EACCES; | ||
937 | goto out_bad_resource; | ||
938 | } | ||
939 | |||
918 | ret = ttm_ref_object_add(tfile, base, TTM_REF_USAGE, NULL); | 940 | ret = ttm_ref_object_add(tfile, base, TTM_REF_USAGE, NULL); |
919 | if (unlikely(ret != 0)) { | 941 | if (unlikely(ret != 0)) { |
920 | DRM_ERROR("Could not add a reference to a surface.\n"); | 942 | DRM_ERROR("Could not add a reference to a surface.\n"); |
@@ -1273,6 +1295,8 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data, | |||
1273 | 1295 | ||
1274 | user_srf->prime.base.shareable = false; | 1296 | user_srf->prime.base.shareable = false; |
1275 | user_srf->prime.base.tfile = NULL; | 1297 | user_srf->prime.base.tfile = NULL; |
1298 | if (drm_is_primary_client(file_priv)) | ||
1299 | user_srf->master = drm_master_get(file_priv->master); | ||
1276 | 1300 | ||
1277 | /** | 1301 | /** |
1278 | * From this point, the generic resource management functions | 1302 | * From this point, the generic resource management functions |