Summary: | graphics/drm-devel-kmod: Make sure to allow only appropriate ioctl requests | ||||||
---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Tamas Szakaly <sghctoma> | ||||
Component: | Individual Port(s) | Assignee: | Johannes M Dieterich <jmd> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Only Me | CC: | shadow53+freebsd, zeising | ||||
Priority: | --- | Flags: | bugzilla:
maintainer-feedback?
(jmd) |
||||
Version: | Latest | ||||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Attachments: |
|
Thanks for the patch! We are trying to keep the ports themselves patch-free, could you submit a PR against our githubs to ensure that your work also gets carried forward in future DRM imports? Has this been included? Can this be closed? (In reply to Johannes M Dieterich from comment #2) Looks like it got merged upstream: https://github.com/FreeBSDDesktop/kms-drm/pull/93 This looks like it has been fixed. Please re-open this or create a new PR if this is still an issue. |
Created attachment 196939 [details] Patch to reject inappropriate ioctls with EINVAL Overview -- The drm_ioctl function (drivers/gpu/drm/drm_ioctl.c#783) uses DRM_IOCTL_NR(cmd) to determine which ioctl should be called, but it does not check if cmd is actually a valid ioctl for the driver. Steps to Reproduce -- I was trying to determine if a given file descriptor belongs to a drm or an input device, for which I was using two ioctl requests: IOCGVERSION and DRM_IOCTL_VERSION. I expected requesting IOCGVERSION from a drm device would return EINVAL, but it returns 0. This simple PoC demonstrates this behavior: #include <errno.h> #include <fcntl.h> #include <stdio.h> #include <string.h> #include <sys/ioctl.h> #include <dev/evdev/input.h> int main(int argc, char** argv) { int fd = open("/dev/drm/0", O_RDONLY); int dummy = -1; int ret = ioctl(fd, EVIOCGVERSION, &dummy); printf("ret=%d, err=%s, dummy=%d\n", ret, strerror(errno), dummy); } Actual Results -- The above program shows that requesting EVIOCGVERSION from a drm device succeeds: [0x00 ~]$ cc test2.c -o test2 [0x00 ~]$ ./test2 ret=0, err=No error: 0, dummy=0 Expected Results -- The expected result would be a failed ioctl call: [0x00 ~]$ ./test2 ret=-1, err=Invalid argument, dummy=-1 Patch -- This problem exists because DRM_IOCTL_NR(EVIOCGVERSION) = 1, therefore drm_ioctl will use DRM_IOCTL_GET_UNIQUE (because DRM_IOCTL_NR(DRM_IOCTL_GET_UNIQUE) is also 1). The drm_ioctl.c in base compares IOCGROUP(cmd) with DRM_IOCTL_BASE, and returns -EINVAL if they differ. I have copied that comparison to the patch attached.