"Frank C. Earl" wrote: > > On Thursday 14 February 2002 10:33 am, Keith Whitwell wrote: > > > I haven't had a good look at security on either of these cards, but it's > > definitely worth doing, both to find out if we're doing too little and if > > we're doing too much. > > I've been looking at the i810 programmer's guide trying to understand why > it's acceptable to send commands mixed with the verticies to it (since that > is the same boat we're in with the RagePRO), and we might be doing too much > in one aspect, and not enough in others. Someone should look over my > shoulder here and see if I'm plain flat missing something...
The i810 has a security model that makes insecure commands in batch buffers into noops. Unfortunately there is a hole in the security model: you can emit a batch buffer with blit commands in it that blit insecure commands onto the ring, where they may then be executed... In addition to unmapping the buffer, the i810 kernel module emits commands into the buffer itself, ensuring that the data can only be interpreted as vertices. Eg, imagine receiving a buffer full of bogus commands from a spoofing app - the kernel module unmaps it from userspace, then writes at the top of the buffer a command that says: "emit the next 4096 (or whatever) bytes as a tristrip". No commands from the app can ever be executed. > > The mapping/unmapping doesn't seem to buy us much in the way of protection > and is slow. According to the documentation from Intel, the chip is designed > to handle these situations for us. While I know the chip is slow, is it > really needed to do this operation which is a very big bottleneck on > performance? Yes, unfortunately. Keith _______________________________________________ Dri-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/dri-devel
