On 09/09/2015 05:07 PM, Daniel Vetter wrote: > On Wed, Sep 9, 2015 at 6:03 PM, Tvrtko Ursulin > <tvrtko.ursulin at linux.intel.com> wrote: >> It was just an example of a class of vulnerabilities which would be possible >> with these changes. If they, as you said, will preserve the last frame on >> screen when the compositor crashes. > > If your compositor crashes something should take over, either fbdev > (which force-restores) or a new compositor (system one or just the one > that crashed, restarted). And on modern userspace logind has copies of > the fds which it uses to make sure priviledges (i.e. master rights) > don't escape to the wrong person.
The famous "should". fbdev is going out no? And attack just needs to prevent compositor from starting again. Or a bug somewhere needs to do that. Fact remains, before this = black screen, after this = last frame with bank details or similar. Change makes the scenario more likely, so what is the justification? Only that modeset is hard on framebuffer owner exiting? >> For me this is serious enough not to go this route. > > If that doesn't happen you have yet another bug in userspace. I don't > think there's a real problem really. If white hats had the imagination of black hats there would be no problems whatsoever. :) Tvrtko
