Hi,
On 11/30/2015 04:00 PM, Daniel Vetter wrote:
> On Mon, Nov 30, 2015 at 04:44:21AM -0800, Thomas Hellstrom wrote:
>> A client calling drmSetMaster() using a file descriptor that was opened
>> when another client was master would inherit the latter client's master
>> object and all it's authenticated clients.
>>
>> This is unwanted behaviour, and when this happens, instead allocate a
>> brand new master object for the client calling drmSetMaster().
>>
>> Signed-off-by: Thomas Hellstrom <thellstrom@xxxxxxxxxx>
> Imo makes sense. It would be great to have a testcase for this, and for
> non-kms stuff igt now has support for generic testcases that can be run on
> any driver. See for example intel-gpu-tools/tests/core_get_auth_client.c.
>
> I or Daniel Stone can help out (on irc or mail) with that.
> -Daniel
Given that this crashes the kernel by vmwgfx throwing a BUG on some
versions of SLE,
while probably all other drivers don't care, except that it's a security
issue, A generic test case involving DRM clients leaking information
between master realms would unfortunately be too resource consuming to
put together for our minimal driver team ;).
Although I used the attached C program run as root to trigger the
behavior and unconditional kernel crash on vmwgfx. On the affected SLE
versions, fd1 would represent Xorg, fd2 would represent plymouthd.
/Thomas
#include <xf86drm.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
int main()
{
int fd1, fd2;
fd1 = open("/dev/dri/card0", O_RDWR);
if (fd1 < 0)
exit(-1);
fd2 = open("/dev/dri/card0", O_RDWR);
if (fd2 < 0)
exit(-1);
(void) drmDropMaster(fd1);
(void) drmSetMaster(fd2);
close(fd2);
close(fd1);
}
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/dri-devel
