Re: bktr(4) risk?

---

• From: John-Mark Gurney <gurney_j@xxxxxxxxxxxxxxxxxx>
• Date: Mon, 9 Oct 2006 16:26:50 -0700

---

Jonathan Chen wrote this message on Mon, Oct 09, 2006 at 17:37 -0400:

While trying to resurrect meteor(4), I've been looking over the bktr
driver. It seems that the bktr driver implements the METEORSVIDEO ioctl,
which appears to allow userland programs to specify a physical memory
address to which the bktr hardware should dump it's output. At first

Yes, it does...

glance, this seems like a rather bad idea, as this would allow anyone armed
with the bktr file descriptor to arbitrarily trash any memory, and the bktr
device comes with a friendly default permission of 0444.

The only reason I can think of to use this ioctl would be if you wanted the
image you're capturing to be directly dumped into video memory. This

This is very common... It allows the bktr driver to dump the frames
directly to the memory of your video card... This makes watching live
tv watchable...

doesn't seem too useful a task for a video capture card to be doing.
Perhaps we should put a test for write access in there or just eliminate
the ioctl altogether. It should be noted that the meteor driver had this
ioctl ifdef'ed out prior to its removal.

Hmmm... I think I'll go ahead and put in a compatibility ioctl based
on the way I did the zoran driver, and schedule the removal of the
ioctl..

Disclaimer: I don't have access to a bktr myself, nor am I very familiar
with the intricacies of DMA, so someone with the expertise or the hardware
should check my reasoning or test an exploit before panicing.

--
John-Mark Gurney Voice: +1 415 225 5579

"All that I will do, has been done, All that I have, has not."
_______________________________________________
freebsd-hackers@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@xxxxxxxxxxx"

---

• Follow-Ups:
  • Re: bktr(4) risk?
    • From: Daniel O'Connor
  • Re: bktr(4) risk?
    • From: Jonathan Chen

• References:
  • bktr(4) risk?
    • From: Jonathan Chen

• Prev by Date: bktr(4) risk?
• Next by Date: Re: bktr(4) risk?
• Previous by thread: bktr(4) risk?
• Next by thread: Re: bktr(4) risk?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: communication between user mode and kernel mode ... You have the application send down the chunk of memory on an IOCTL ... Windows 2k/XP/2k3 Filesystem and Driver Consulting ... (microsoft.public.development.device.drivers) bktr(4) risk? ... I've been looking over the bktr ... It seems that the bktr driver implements the METEORSVIDEO ioctl, ... The only reason I can think of to use this ioctl would be if you wanted the ... (freebsd-hackers) Re: WDF-newbie: Sharing memory between application and driver? ... I need to share memory between application and my driver. ... So I pass a buffer pointer to the driver via an IoCtl. ... My driver allocates kernel memory with ExAllocatePoolWithTag. ... (microsoft.public.development.device.drivers) Re: IOCTL_GET_TUPLE_DATA from CardBus PC Card ... >> in user caller. ... In driver the out answer buffer was empty. ... do you send the ioctl to your device driver instead of the pcmcia.sys?! ... My driver gets the memory ... (microsoft.public.development.device.drivers) WDF-newbie: Sharing memory between application and driver? ... I'm porting an old driver from Compuware Driver::Works to WDF. ... So I pass a buffer pointer to the driver via an IoCtl. ... My driver allocates kernel memory with ExAllocatePoolWithTag. ... The Application issues an IoCtl and wants to receive a pointer to the memory. ... (microsoft.public.development.device.drivers)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

unix.derkeiler.com  > Mailing-Lists  > FreeBSD  > hackers  > 2006-10