summaryrefslogtreecommitdiff
path: root/bsd-core
diff options
context:
space:
mode:
authorEric Anholt <anholt@freebsd.org>2005-02-08 04:17:14 +0000
committerEric Anholt <anholt@freebsd.org>2005-02-08 04:17:14 +0000
commit81459d6e50a02b87ed95073659536eefa1e09fdf (patch)
tree92d9d61123ff5f3da299af3cc6a4b7bbd45bcd96 /bsd-core
parentdc4defe742387dc3081557111b67a1ab99455dbb (diff)
Close a race which could allow for privilege escalation by users with DRI
privileges on Radeon hardware. Essentially, a malicious program could submit a packet containing an offset (possibly in main memory) to be rendered from/to, while a separate thread switched that offset in userspace rapidly between a valid value and an invalid one. radeon_check_and_fixup_offset() would pull the offset in from user space, check it, and spit it back out to user space to be copied in later by the emit code. It would sometimes catch the bad value, but sometimes the malicious program could modify it after the check and get an invalid offset rendered from/to. Fix this by allocating a temporary buffer and copying the data in at once. While here, make the cliprects stuff not do the VERIFYAREA_READ and COPY_FROM_USER_UNCHECKED gymnastics, avoiding a lock order reversal on FreeBSD. Performance impact is negligible -- no difference on r200 to ~1% improvement on rv200 in quake3 tests (P4 1Ghz, demofour at 1024x768, n=4 or 5).
Diffstat (limited to 'bsd-core')
-rw-r--r--bsd-core/drmP.h2
1 files changed, 0 insertions, 2 deletions
diff --git a/bsd-core/drmP.h b/bsd-core/drmP.h
index b32a4422..30e6be67 100644
--- a/bsd-core/drmP.h
+++ b/bsd-core/drmP.h
@@ -333,8 +333,6 @@ typedef vaddr_t vm_offset_t;
copyout(arg2, arg1, arg3)
#define DRM_GET_USER_UNCHECKED(val, uaddr) \
((val) = fuword(uaddr), 0)
-#define DRM_PUT_USER_UNCHECKED(uaddr, val) \
- suword(uaddr, val)
#define cpu_to_le32(x) htole32(x)
#define le32_to_cpu(x) le32toh(x)