From patchwork Mon May 27 08:17:29 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Emil Velikov X-Patchwork-Id: 10962229 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0271213AD for ; Mon, 27 May 2019 08:19:20 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E89C428A05 for ; Mon, 27 May 2019 08:19:19 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DCE1628AB7; Mon, 27 May 2019 08:19:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 45D0E28A05 for ; Mon, 27 May 2019 08:19:19 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id C1D9089831; Mon, 27 May 2019 08:19:15 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mail-wm1-x342.google.com (mail-wm1-x342.google.com [IPv6:2a00:1450:4864:20::342]) by gabe.freedesktop.org (Postfix) with ESMTPS id DA93289791; Mon, 27 May 2019 08:19:14 +0000 (UTC) Received: by mail-wm1-x342.google.com with SMTP id t5so14877215wmh.3; Mon, 27 May 2019 01:19:14 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=4VoQ1zIsBrLpc/Iweg3AnxDqnQQ32BWk7DUxP8iFack=; b=ocYwLOIuqu6G3r8pkXEreyMkj0VryS8B526M6dQqpECBvUsmHSzVYivVxRXUbXPHAd LJag2r+6WdpJAGkp/NBKl7iGXlS8ewLYFrqrZYlpW+T+qic6RQaWYk8xHRz63q8+HkE7 Heydzzn/7yRTtX7Q2eu6j3GZvcHxDgm5e9EyKrhCQnj89k0OYI+u9zZu1QRLLH44C7YR QyfX1kRuNxKpFJOFW4G9CSJDo6eVHGj3y5y9FHqB8QhHx0q1+sk1U1EAFDUD/c464piL 8aWvmrrBq1Q1bUucyIqLcIQ8D4up0nNSpw2fy0zOU4FIpkQlLf0uTLA5nLy2SfhsSm/I VW1g== X-Gm-Message-State: APjAAAV6Zj5xy9HhD1W7Z7gPP+fQ6ECeQvWIB5IXX7rzgrd65nSI0SlZ SgbPTa7LiVrF8lU54iXowCpQHTYg X-Google-Smtp-Source: APXvYqxAj7R3cd6JOPhNZoFWxIyP6rneBrfg50I65SKdPfA+ycRMrnHgRK2ei6xXj6siX7OTBxgVqw== X-Received: by 2002:a1c:9c8c:: with SMTP id f134mr9129478wme.95.1558945153256; Mon, 27 May 2019 01:19:13 -0700 (PDT) Received: from localhost.localdomain (cpc91192-cmbg18-2-0-cust374.5-4.cable.virginm.net. [80.6.113.119]) by smtp.gmail.com with ESMTPSA id a124sm7511876wmh.3.2019.05.27.01.19.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 27 May 2019 01:19:12 -0700 (PDT) From: Emil Velikov To: dri-devel@lists.freedesktop.org Subject: [PATCH 01/13] drm/amdgpu: introduce and honour DRM_FORCE_AUTH workaround Date: Mon, 27 May 2019 09:17:29 +0100 Message-Id: <20190527081741.14235-1-emil.l.velikov@gmail.com> X-Mailer: git-send-email 2.21.0 MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=4VoQ1zIsBrLpc/Iweg3AnxDqnQQ32BWk7DUxP8iFack=; b=oGvE1p0J0Egq3p74gmZugfdomaGEhOCqtbkZ7yfLSq/8b5oxpu5T+mypYxkQDnHSPR kh8tzr+Umo20IkdQhIsqX4M80PKgzR20MWNooOPAkke7YLN5d9BLjpHXb9P8JjafuOsW niGM3oDOB4G5HSm70e3zMfzgGrrbNtx+YNKJprB0MvOVERmHuqOWItbWzaADpwK/+aD6 gYZyF2tMGXFjftn9NtZr9EODhOaqDiYcIUylN7W24zPC8mK/HmRohw4SmkPxS0LMNVGm YU3Q5oIQriSVHSceWGC/KVnyPehaHXsZPktXOUO+I4u3L8rHv1WfikylAw7aJ4zh5ka4 tipw== X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: David Airlie , emil.l.velikov@gmail.com, amd-gfx@lists.freedesktop.org, Alex Deucher , =?utf-8?q?Christian_K=C3=B6nig?= Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP From: Emil Velikov Currently one can circumvent DRM_AUTH, when the ioctl is exposed via the render node. A seemingly deliberate design decision. Hence we can drop the DRM_AUTH all together (details in follow-up patch) yet not all userspace checks if it's authenticated, but instead uses uncommon assumptions. After days of digging through git log and testing, only a single (ab)use was spotted - the Mesa RADV driver, using the AMDGPU_INFO ioctl and assuming that failure implies lack of authentication. Affected versions are: - the whole 18.2.x series, which is EOL - the whole 18.3.x series, which is EOL - the 19.0.x series, prior to 19.0.4 Add a special quirk for that case, thus we can drop DRM_AUTH bits as mentioned earlier. Since all the affected userspace is EOL, we also add a kconfig option to disable this quirk. The whole approach is inspired by DRIVER_KMS_LEGACY_CONTEXT Cc: Alex Deucher Cc: Christian König Cc: amd-gfx@lists.freedesktop.org Cc: David Airlie Cc: Daniel Vetter Signed-off-by: Emil Velikov --- drivers/gpu/drm/amd/amdgpu/Kconfig | 16 ++++++++++++++++ drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 12 +++++++++++- drivers/gpu/drm/drm_ioctl.c | 5 +++++ include/drm/drm_ioctl.h | 17 +++++++++++++++++ 4 files changed, 49 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/amdgpu/Kconfig b/drivers/gpu/drm/amd/amdgpu/Kconfig index 9221e5489069..da415f445187 100644 --- a/drivers/gpu/drm/amd/amdgpu/Kconfig +++ b/drivers/gpu/drm/amd/amdgpu/Kconfig @@ -40,6 +40,22 @@ config DRM_AMDGPU_GART_DEBUGFS Selecting this option creates a debugfs file to inspect the mapped pages. Uses more memory for housekeeping, enable only for debugging. +config DRM_AMDGPU_FORCE_AUTH + bool "Force authentication check on AMDGPU_INFO ioctl" + default y + help + There were some version of the Mesa RADV drivers, which relied on + the ioctl failing, if the client is not authenticated. + + Namely, the following versions are affected: + - the whole 18.2.x series, which is EOL + - the whole 18.3.x series, which is EOL + - the 19.0.x series, prior to 19.0.4 + + Modern distributions, should disable this. That will allow various + other clients to work, that would otherwise require root privileges. + + source "drivers/gpu/drm/amd/acp/Kconfig" source "drivers/gpu/drm/amd/display/Kconfig" source "drivers/gpu/drm/amd/amdkfd/Kconfig" diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c index b17d0545728e..b8076929440b 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c @@ -1214,7 +1214,17 @@ const struct drm_ioctl_desc amdgpu_ioctls_kms[] = { DRM_IOCTL_DEF_DRV(AMDGPU_GEM_MMAP, amdgpu_gem_mmap_ioctl, DRM_AUTH|DRM_RENDER_ALLOW), DRM_IOCTL_DEF_DRV(AMDGPU_GEM_WAIT_IDLE, amdgpu_gem_wait_idle_ioctl, DRM_AUTH|DRM_RENDER_ALLOW), DRM_IOCTL_DEF_DRV(AMDGPU_CS, amdgpu_cs_ioctl, DRM_AUTH|DRM_RENDER_ALLOW), - DRM_IOCTL_DEF_DRV(AMDGPU_INFO, amdgpu_info_ioctl, DRM_AUTH|DRM_RENDER_ALLOW), + /* The DRM_FORCE_AUTH is effectively a workaround for the RADV Mesa driver. + * This is required for Mesa: + * - the whole 18.2.x series, which is EOL + * - the whole 18.3.x series, which is EOL + * - the 19.0.x series, prior to 19.0.4 + */ + DRM_IOCTL_DEF_DRV(AMDGPU_INFO, amdgpu_info_ioctl, +#if defined(DRM_AMDGPU_FORCE_AUTH) + DRM_FORCE_AUTH| +#endif + DRM_AUTH|DRM_RENDER_ALLOW), DRM_IOCTL_DEF_DRV(AMDGPU_WAIT_CS, amdgpu_cs_wait_ioctl, DRM_AUTH|DRM_RENDER_ALLOW), DRM_IOCTL_DEF_DRV(AMDGPU_WAIT_FENCES, amdgpu_cs_wait_fences_ioctl, DRM_AUTH|DRM_RENDER_ALLOW), DRM_IOCTL_DEF_DRV(AMDGPU_GEM_METADATA, amdgpu_gem_metadata_ioctl, DRM_AUTH|DRM_RENDER_ALLOW), diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c index 2263e3ddd822..9841c0076f02 100644 --- a/drivers/gpu/drm/drm_ioctl.c +++ b/drivers/gpu/drm/drm_ioctl.c @@ -544,6 +544,11 @@ int drm_ioctl_permit(u32 flags, struct drm_file *file_priv) drm_is_render_client(file_priv))) return -EACCES; + /* FORCE_AUTH is only for authenticated or render client */ + if (unlikely((flags & DRM_FORCE_AUTH) && !drm_is_render_client(file_priv) && + !file_priv->authenticated)) + return -EACCES; + return 0; } EXPORT_SYMBOL(drm_ioctl_permit); diff --git a/include/drm/drm_ioctl.h b/include/drm/drm_ioctl.h index fafb6f592c4b..6084ee32043d 100644 --- a/include/drm/drm_ioctl.h +++ b/include/drm/drm_ioctl.h @@ -126,6 +126,23 @@ enum drm_ioctl_flags { * not set DRM_AUTH because they do not require authentication. */ DRM_RENDER_ALLOW = BIT(5), + /** + * @DRM_FORCE_AUTH: + * + * Authentication of the primary node is mandatory. Regardless that the + * user can usually circumvent that by using the render node with exact + * same ioctl. + * + * Note: this is effectively a workaround for AMDGPU AMDGPU_INFO ioctl + * and the RADV Mesa driver. This is required for Mesa: + * - the whole 18.2.x series, which is EOL + * - the whole 18.3.x series, which is EOL + * - the 19.0.x series, prior to 19.0.4 + * + * Note: later patch will effectively drop the DRM_AUTH for ioctls + * annotated as DRM_AUTH | DRM_RENDER_ALLOW. + */ + DRM_FORCE_AUTH = BIT(6), }; /**