Re: [patch] Staging: tidspbridge: make mmap root-only so it is not a security problem
From: Pali RohÃr
Date: Sun Dec 01 2013 - 04:47:41 EST
On Sunday 01 December 2013 04:45:01 Greg KH wrote:
> On Sat, Nov 30, 2013 at 11:58:23PM +0100, Pavel Machek wrote:
> > On Sat 2013-11-30 14:05:53, Greg KH wrote:
> > > On Sat, Nov 30, 2013 at 09:42:37PM +0100, Pavel Machek wrote:
> > > > mmap in tidspbridge is missing range-checks. For now,
> > > > make this interface root-only, so that it does not
> > > > cause security problems.
> > >
> > > Please fix this properly and don't paper over the real
> > > problem here.
> >
> > Well, if the driver is left uncompilable, I'm pretty sure it
> > will bitrot.
> >
> > I do have the hardware, but I'm pretty sure current mailine
> > does not have enough support to boot Maemo, so it is non
> > trivial for me to test changes here.
> >
> > And yes, I'd like to get N900 to better shape, but there's
> > more urgent work to do there. Such as "make sure N900 still
> > boots once omap moves away from device files".
> >
> > [It seems like check should be that
> >
> > vma->vm_pgoff << PAGE_SHIFT >= pdata->phys_mempool_base and
> > vma->vm_end - vma->vm_start + (vma->vm_pgoff << PAGE_SHIFT -
> > pdata->phys_mempool_base) <= pdata->phys_mempool_size .
> >
> > But... this is some kind of DSP coprocessor, and I am not
> > sure if just exposing its address space to untrusted
> > processes is good idea.
> >
> > Heck, are you sure this is security problem in the first
> > place? Yes, it is unchecked mmap. So what? If the device is
> > 600 root.root, and if the DSP can take over main system,
> >
> > if (!capable(CAP_SYS_RAWIO))
> >
> > return -EPERM;
>
> Will that break userspace? Who opens and mmaps this device?
> If you don't know if users do this, how can you say this
> patch isn't going to break things just as much as not having
> the driver there at all?
>
> thanks,
>
> greg k-h
Maemo and harmattan userspace using gst-dsp (gstreamer plugin)
for using tidspbridge. It opening /dev/DspBridge and then it calling:
mmap(NULL, seg->size, PROT_READ | PROT_WRITE, MAP_SHARED | 0x2000 /* MAP_LOCKED */, handle, seg->base_pa);
Because it is gstreamer plugin, every application can use it (under non root too).
Can you check if above problematic kernel code is what this gst-dsp mmap calling?
--
Pali RohÃr
pali.rohar@xxxxxxxxx
Attachment:
signature.asc
Description: This is a digitally signed message part.