[Bug 1803] New: Security issue: insufficient locking checks in DRM code

Tue, 09 Nov 2004 08:00:51 -0800 

Please do not reply to this email: if you want to comment on the bug, go to     
     
the URL shown below and enter yourcomments there.   
 
https://freedesktop.org/bugzilla/show_bug.cgi?id=1803        
   
           Summary: Security issue: insufficient locking checks in DRM code
           Product: xorg
           Version: CVS_head
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Lib/GLX
        AssignedTo: [EMAIL PROTECTED]
        ReportedBy: [EMAIL PROTECTED]


http://www.mail-archive.com/dri-devel%40lists.sourceforge.net/msg20254.html 
 
Michel DÃnzer wrote:  
On Mon, 2004-11-01 at 14:21 +0100, Thomas HellstrÃm wrote: 
   
  
Hmm, correct me If I'm wrong, but after a brief check in the code, it 
seems like the current _DRM_LOCK_IS_HELD() used in  dma buffer 
submission IOCTLS just checks that the lock is indeed held, but not if 
it is held by the current caller. Thus any authorized client should be 
able to sneek in DMA commands while the lock is held by another client 
or the X server. -> potential system crash. 
     
  
Hence _DRM_LOCK_IS_HELD() always seems to be (supposed to be) 
accompanied by another test that verifies the ownership. 
 
   
 Michael,  
  
 I just checked i830_dma.c, i915_dma.c and via_dma.c, and _DRM_LOCK_IS_HELD() 
is used without such a test, AFAICT. 
  
 The correct macro to call seems to be 
 LOCK_TEST_WITH_RETURN() 
 which does incorporate such a test. 
  
 In fact, the use of _DRM_LOCK_IS_HELD() here should allow malfunctioning or 
malicious SMP dri clients to modify internal drm data structures and DMA 
ring-buffers simultaneously?  
  
 /Thomas        
   
   
--         
Configure bugmail: https://freedesktop.org/bugzilla/userprefs.cgi?tab=email     
  
   
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
--
_______________________________________________
Dri-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/dri-devel

Reply via email to