On Monday 18 February 2002 12:07 pm, Keith Whitwell wrote: > The i810 has a security model that makes insecure commands in batch buffers > into noops. Unfortunately there is a hole in the security model: you can > emit a batch buffer with blit commands in it that blit insecure commands > onto the ring, where they may then be executed...
I didn't see that in the documentation. If it's only working from the premise that the command stream is untrusted, it's supposed to stop operation at that point. Since the ring buffers are supposed to be in system memory, I'd have thought that if you controlled the buffers so that the rings are NEVER accessable to the user from the driver they couldn't be used to ammend commands to it (real memory access...) with a batch buffer. I'll re-read things since you're claiming different from what I got from it. > In addition to unmapping the buffer, the i810 kernel module emits commands > into the buffer itself, ensuring that the data can only be interpreted as > vertices. Eg, imagine receiving a buffer full of bogus commands from a > spoofing app - the kernel module unmaps it from userspace, then writes at > the top of the buffer a command that says: "emit the next 4096 (or > whatever) bytes as a tristrip". No commands from the app can ever be > executed. If the commands don't allow any access to anything system memory-wise (which is what you're doing in the command to start the buffer) then they can't overwrite anything or be used to snag memory that doesn't belong to the app. I'd have to double check the source code- I didn't see anything that parsed vertex info into DMA commands in the driver layer. I'd expect that if it's entirely as you claim it is. -- Frank Earl _______________________________________________ Dri-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/dri-devel
