• D
    drm: fix DRM_IOCTL_MODE_GETFB handle-leak · 101b96f3
    David Herrmann 提交于
    DRM_IOCTL_MODE_GETFB is used to retrieve information about a given
    framebuffer ID. It is a read-only helper and was thus declassified for
    unprivileged access in:
    
      commit a14b1b42
      Author: Mandeep Singh Baines <mandeep.baines@gmail.com>
      Date:   Fri Jan 20 12:11:16 2012 -0800
    
          drm: remove master fd restriction on mode setting getters
    
    However, alongside width, height and stride information,
    DRM_IOCTL_MODE_GETFB also passes back a handle to the underlying buffer of
    the framebuffer. This handle allows users to mmap() it and read or write
    into it. Obviously, this should be restricted to DRM-Master.
    
    With the current setup, *any* process with access to /dev/dri/card0 (which
    means any process with access to hardware-accelerated rendering) can
    access the current screen framebuffer and modify it ad libitum.
    
    For backwards-compatibility reasons we want to keep the
    DRM_IOCTL_MODE_GETFB call unprivileged. Besides, it provides quite useful
    information regarding screen setup. So we simply test whether the caller
    is the current DRM-Master and if not, we return 0 as handle, which is
    always invalid. A following DRM_IOCTL_GEM_CLOSE on this handle will fail
    with EINVAL, but we accept this. Users shouldn't test for errors during
    GEM_CLOSE, anyway. And it is still better as a failing MODE_GETFB call.
    
    v2: add capable(CAP_SYS_ADMIN) check for compatibility with i-g-t
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
    Reviewed-by: NChris Wilson <chris@chris-wilson.co.uk>
    Signed-off-by: NDave Airlie <airlied@redhat.com>
    101b96f3
drm_crtc.c 103.8 KB