From patchwork Thu Mar 27 20:23:19 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Thomas Hellstrom <thellstrom@vmware.com>
X-Patchwork-Id: 3899691
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
X-Original-To: patchwork-dri-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 962BB9F2E8
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Thu, 27 Mar 2014 20:23:47 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id A1122201B4
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Thu, 27 Mar 2014 20:23:46 +0000 (UTC)
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	by mail.kernel.org (Postfix) with ESMTP id C1A2320237
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Thu, 27 Mar 2014 20:23:45 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 196316EAAC;
	Thu, 27 Mar 2014 13:23:45 -0700 (PDT)
X-Original-To: dri-devel@lists.freedesktop.org
Delivered-To: dri-devel@lists.freedesktop.org
Received: from smtp-outbound-2.vmware.com (smtp-outbound-2.vmware.com
	[208.91.2.13])
	by gabe.freedesktop.org (Postfix) with ESMTP id 9AF8B6EAAD
	for <dri-devel@lists.freedesktop.org>;
	Thu, 27 Mar 2014 13:23:42 -0700 (PDT)
Received: from sc9-mailhost3.vmware.com (sc9-mailhost3.vmware.com
	[10.113.161.73])
	by smtp-outbound-2.vmware.com (Postfix) with ESMTP id 6DDCD281EA
	for <dri-devel@lists.freedesktop.org>;
	Thu, 27 Mar 2014 13:23:42 -0700 (PDT)
Received: from zcs-prod-mta-1.vmware.com (zcs-prod-mta-1.vmware.com
	[10.113.163.63])
	by sc9-mailhost3.vmware.com (Postfix) with ESMTP id 6A59E40621
	for <dri-devel@lists.freedesktop.org>;
	Thu, 27 Mar 2014 13:23:42 -0700 (PDT)
Received: from zcs-prod-mta-1 (localhost.localdomain [127.0.0.1])
	by zcs-prod-mta-1.vmware.com (Postfix) with ESMTP id 5CB56E010D;
	Thu, 27 Mar 2014 13:23:42 -0700 (PDT)
Received: from ubuntu.localdomain (unknown [10.113.160.14])
	by zcs-prod-mta-1.vmware.com (Postfix) with ESMTPSA;
	Thu, 27 Mar 2014 13:23:41 -0700 (PDT)
From: Thomas Hellstrom <thellstrom@vmware.com>
To: dri-devel@lists.freedesktop.org
Subject: [PATCH 12/16] drm/vmwgfx: Tighten security around surface sharing v2
Date: Thu, 27 Mar 2014 21:23:19 +0100
Message-Id: <1395951799-3666-4-git-send-email-thellstrom@vmware.com>
X-Mailer: git-send-email 1.7.10.4
In-Reply-To: <1395951799-3666-1-git-send-email-thellstrom@vmware.com>
References: <1395951799-3666-1-git-send-email-thellstrom@vmware.com>
Cc: Thomas Hellstrom <thellstrom@vmware.com>
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
	<dri-devel.lists.freedesktop.org>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
X-Spam-Status: No, score=-4.6 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

If using legacy (non-prime) surface sharing, only allow surfaces
to be shared between clients with the same master. This will block
malicious clients from peeking at contents at surfaces from other
(possibly vt-switched) masters.

v2:
s/legacy_client/primary_client/

Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
---
 drivers/gpu/drm/vmwgfx/vmwgfx_surface.c |   24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
index d50cd76..4ecdbf3 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
@@ -36,11 +36,13 @@
  * @base:           The TTM base object handling user-space visibility.
  * @srf:            The surface metadata.
  * @size:           TTM accounting size for the surface.
+ * @master:         master of the creating client. Used for security check.
  */
 struct vmw_user_surface {
 	struct ttm_prime_object prime;
 	struct vmw_surface srf;
 	uint32_t size;
+	struct drm_master *master;
 };
 
 /**
@@ -624,6 +626,8 @@ static void vmw_user_surface_free(struct vmw_resource *res)
 	struct vmw_private *dev_priv = srf->res.dev_priv;
 	uint32_t size = user_srf->size;
 
+	if (user_srf->master)
+		drm_master_put(&user_srf->master);
 	kfree(srf->offsets);
 	kfree(srf->sizes);
 	kfree(srf->snooper.image);
@@ -819,6 +823,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
 
 	user_srf->prime.base.shareable = false;
 	user_srf->prime.base.tfile = NULL;
+	if (drm_is_primary_client(file_priv))
+		user_srf->master = drm_master_get(file_priv->master);
 
 	/**
 	 * From this point, the generic resource management functions
@@ -885,6 +891,7 @@ vmw_surface_handle_reference(struct vmw_private *dev_priv,
 			     struct ttm_base_object **base_p)
 {
 	struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile;
+	struct vmw_user_surface *user_srf;
 	uint32_t handle;
 	struct ttm_base_object *base;
 	int ret;
@@ -915,6 +922,21 @@ vmw_surface_handle_reference(struct vmw_private *dev_priv,
 	}
 
 	if (handle_type != DRM_VMW_HANDLE_PRIME) {
+		user_srf = container_of(base, struct vmw_user_surface,
+					prime.base);
+
+		/*
+		 * Make sure the surface creator has the same
+		 * authenticating master.
+		 */
+		if (drm_is_primary_client(file_priv) &&
+		    user_srf->master != file_priv->master) {
+			DRM_ERROR("Trying to reference surface outside of"
+				  " master domain.\n");
+			ret = -EACCES;
+			goto out_bad_resource;
+		}
+
 		ret = ttm_ref_object_add(tfile, base, TTM_REF_USAGE, NULL);
 		if (unlikely(ret != 0)) {
 			DRM_ERROR("Could not add a reference to a surface.\n");
@@ -1273,6 +1295,8 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data,
 
 	user_srf->prime.base.shareable = false;
 	user_srf->prime.base.tfile = NULL;
+	if (drm_is_primary_client(file_priv))
+		user_srf->master = drm_master_get(file_priv->master);
 
 	/**
 	 * From this point, the generic resource management functions