[rfc] VIA dri and security.

Keith Whitwell keith at tungstengraphics.com
Mon Oct 11 01:17:39 PDT 2004


Thomas Hellström wrote:
> Hi!
> 
> Sorry for the double posting. This is a thing that needs to be discussed 
> in both communities.
> 
> The via DRM has started it's journey into the linus kernel, but the 3D 
> driver / DDX still suffers
> from a security flaw:
> 
> When the MMIO area is exported read-write it is assumed possible for a 
> dri client to manipulate registers to
> blit otherwise protected areas of the system memory to video memory. It 
> is the DDX that tells the DRM whether to export the MMIO area read-only 
> or read-write. The OpenGL 3D driver unichrome_dri.so currently needs 
> write access to this area, until someone fixes it up to use register 
> writing ioctls now present in the via drm.
> 
> The obvious fix is for the DDX to tell DRM to export the MMIO area as 
> read-only. In this way a normal user would get a segfault when trying to 
> run accelerated OpenGL, while it would work as root.


This sort of thing has been discussed in the past, going all the way back to 
UtahGLX, which had a root-only direct rendering system of sorts.

The trouble with doing this, and this was well established in UtahGLX, is that 
if you make a high-performance path available only to root, you get people 
running as root when they ordinarily wouldn't do so in order to access that 
performance path.  Specifically, you're encouraging people to run binary-only 
games & toys with full superuser permissions.

This is actually worse than a DRM model with theoretical insecurities - under 
that model a program would have to be cleverly crafted to expose and exploit 
the insecurity.  Under this "run games as root" model, all of a sudden games 
have to be cleverly crafted and audited to *avoid* exposing insecurities...

Nobody has done a security audit on q3 that would allow you to feel 
comfortable running it as root, to my knowledge...

Keith



More information about the xorg mailing list