microsoft
/
WSL2-Linux-Kernel
зеркало из https://github.com/microsoft/WSL2-Linux-Kernel.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

drm/vmwgfx: Tighten security around surface sharing v2 

If using legacy (non-prime) surface sharing, only allow surfaces
to be shared between clients with the same master. This will block
malicious clients from peeking at contents at surfaces from other
(possibly vt-switched) masters.

v2:
s/legacy_client/primary_client/

Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
This commit is contained in:
Thomas Hellstrom 2014-03-19 10:45:11 +01:00
Родитель adebcb20e4
Коммит 6d10aab8f0
1 изменённых файлов: 24 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

24
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
Просмотреть файл

@ -36,11 +36,13 @@
* @base: The TTM base object handling user-space visibility. * @base: The TTM base object handling user-space visibility.
* @srf: The surface metadata. * @srf: The surface metadata.
* @size: TTM accounting size for the surface. * @size: TTM accounting size for the surface.
* @master: master of the creating client. Used for security check.
*/ */
struct vmw_user_surface { struct vmw_user_surface {
struct ttm_prime_object prime; struct ttm_prime_object prime;
struct vmw_surface srf; struct vmw_surface srf;
uint32_t size; uint32_t size;
struct drm_master *master;
}; };
/** /**
@ -624,6 +626,8 @@ static void vmw_user_surface_free(struct vmw_resource *res)
struct vmw_private *dev_priv = srf->res.dev_priv; struct vmw_private *dev_priv = srf->res.dev_priv;
uint32_t size = user_srf->size; uint32_t size = user_srf->size;
if (user_srf->master)
drm_master_put(&user_srf->master);
kfree(srf->offsets); kfree(srf->offsets);
kfree(srf->sizes); kfree(srf->sizes);
kfree(srf->snooper.image); kfree(srf->snooper.image);
@ -819,6 +823,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
user_srf->prime.base.shareable = false; user_srf->prime.base.shareable = false;
user_srf->prime.base.tfile = NULL; user_srf->prime.base.tfile = NULL;
if (drm_is_primary_client(file_priv))
user_srf->master = drm_master_get(file_priv->master);
/** /**
* From this point, the generic resource management functions * From this point, the generic resource management functions
@ -885,6 +891,7 @@ vmw_surface_handle_reference(struct vmw_private *dev_priv,
struct ttm_base_object **base_p) struct ttm_base_object **base_p)
{ {
struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile; struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile;
struct vmw_user_surface *user_srf;
uint32_t handle; uint32_t handle;
struct ttm_base_object *base; struct ttm_base_object *base;
int ret; int ret;
@ -915,6 +922,21 @@ vmw_surface_handle_reference(struct vmw_private *dev_priv,
} }
if (handle_type != DRM_VMW_HANDLE_PRIME) { if (handle_type != DRM_VMW_HANDLE_PRIME) {
user_srf = container_of(base, struct vmw_user_surface,
prime.base);
/*
* Make sure the surface creator has the same
* authenticating master.
*/
if (drm_is_primary_client(file_priv) &&
user_srf->master != file_priv->master) {
DRM_ERROR("Trying to reference surface outside of"
" master domain.\n");
ret = -EACCES;
goto out_bad_resource;
}
ret = ttm_ref_object_add(tfile, base, TTM_REF_USAGE, NULL); ret = ttm_ref_object_add(tfile, base, TTM_REF_USAGE, NULL);
if (unlikely(ret != 0)) { if (unlikely(ret != 0)) {
DRM_ERROR("Could not add a reference to a surface.\n"); DRM_ERROR("Could not add a reference to a surface.\n");
@ -1273,6 +1295,8 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data,
user_srf->prime.base.shareable = false; user_srf->prime.base.shareable = false;
user_srf->prime.base.tfile = NULL; user_srf->prime.base.tfile = NULL;
if (drm_is_primary_client(file_priv))
user_srf->master = drm_master_get(file_priv->master);
/** /**
* From this point, the generic resource management functions * From this point, the generic resource management functions