Now that the driver paints usable pictures without lockups on many cards,
including AGP versions of X800 and Mobility M10, it would make sense to
ready it for inclusion into main DRI codebase.
I do not think that elusive lockups of Radeon 9800 cards, or issues with
PowerPC will require any drastic changes.
As we discussed earlier, the major reason against inclusion into
mainstream DRI CVS is that the driver is not secure in its current state.
Below, I will attempt to list current known issues - please reply with
your additions.
* r300_emit_unchecked_state - it is not as unchecked as it has been
initially, however a few poorly checked registers remain:
from r300_cmdbuf.c:
ADD_RANGE(R300_RB3D_COLOROFFSET0, 1); /* Dangerous */
ADD_RANGE(R300_RB3D_COLORPITCH0, 1); /* Dangerous */
/* .. snip ... */
ADD_RANGE(R300_RB3D_DEPTHOFFSET, 2); /* Dangerous */
In principle an attacker can set these to point to AGP or system
RAM and then cause a paint operation to overwrite particular
memory range.
Ideally we should check that these point inside the framebuffer,
i.e. are within range specified by MC_FB_LOCATION register.
/* Texture offset is dangerous and needs more checking */
ADD_RANGE(R300_TX_OFFSET_0, 16);
I don't think texture offsets are ever written to, however if they
point in the wrong place they can be used to read memory directly.
ideally we would check these to be either with MC_FB_LOCATION
or MC_AGP_LOCATION ranges. Problem is what do we do on PCI cards ?
use AIC controller settings ?
* r300_emit_raw - we do not have code that checks any of bufferred 3d
packets, in particular VBUF_2, IMMD_2, INDX_2 and INDX_BUFFER.
I think that none of these can be exploited except to cause a lockup -
please correct me if I am wrong
* r300_emit_raw - RADEON_3D_LOAD_VBPNTR - this sets offsets and so
like texture offset registers could be exploited to read protected
memory locations.
Again, we need to check the offsets against something reasonable.
* anything I forgot ?
best
Vladimir Dergachev
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
--
_______________________________________________
Dri-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dri-devel
