gabriel rosenkoetter on Thu, 11 Oct 2001 15:24:27 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Postscript, Ghostscript, and pdf

On Thu, Oct 11, 2001 at 02:03:55PM -0400, Kevin Brosius wrote:
> Very few XFree86 drivers have access to DMA (and of the _one_ I can
> think of, it only does that on Linux.)  What did you really mean to say?

What you say is contradicted by

  By default NetBSD include the BSD 4.4 kernel security feature that
  disable access to the /dev/mem device when in multi-users mode.
  But XFree86 servers can take advantage (or require)
  linear access to the display memory.
>>Most XFree86 4.1.0 card drivers require linear memory access.
  There are two ways to allow XFree86 to access linear memory:
  The first way is to disable the kernel security feature by adding
  ``option INSECURE'' in the kernel configuration file and build a
  new kernel.

It's most obvious in NetBSD merely as a result of any (secure) 4.4
BSD kernel's securelevel feature. It is necessary to leave the
kernel in securelevel 0 (linear access to memory in order to get
blit images to the graphic card's DMA quickly, so not *precisely*
what I said, but the point is the same) in order for XF86 to work.

They go on to suggest that the other option is to use their aperature
driver (a kernel module) which allows only one process to have linear
memory access at a time, but this is tantamount to the same thing
as a userland process can take over the console extremely easily,
relative to how easily it can get kernel-level access to memory when
the kernel is at securelevel 1 (it's impossible to do so without
finding a buffer overflow in a syscall exported by the kernel, and
it'd be pretty damn hard even then). And don't even get me started
on how I feel about adding third-party LKMs to my kernel as a
"security measure".

It should be noted that it is *not* necessary to open this security
hole in order to run X11R6. None of the Xmac68k, Xsparc[64],
Xsgimips, and Xmacppc servers (all internally developed for NetBSD)
need this.

The fact that Linux doesn't have securelevels doesn't mean it
doesn't have this problem; it means there's no way for it *not* to
have this problem. Linear access to memory from userland (which
*includes* root) is bad, the reasons for which I hope are obvious.

(Think about unlocked private keys, in-transit IPSec sessions, do I
need to go on?)

       ~ g r @

Attachment: pgpv7lIErtJib.pgp
Description: PGP signature