Ping again.
On 10/24/2019 03:25 PM, Brian Paul wrote:
Ping. Anyone?
-Brian
On Tue, Oct 22, 2019 at 3:52 PM Brian Paul <bri...@vmware.com
<mailto:bri...@vmware.com>> wrote:
A security advisory (TALOS-2019-0857/CVE-2019-5068) found that
creating shared memory regions with permission mode 0777 could allow
any user to access that memory. Several Mesa drivers use shared-
memory XImages to implement back buffers for improved performance.
This path changes the shmget() calls to use 0600 (user r/w).
Tested with legacy Xlib driver and llvmpipe.
Cc: mesa-sta...@lists.freedesktop.org
<mailto:mesa-sta...@lists.freedesktop.org>
---
src/gallium/winsys/sw/dri/dri_sw_winsys.c | 3 ++-
src/gallium/winsys/sw/xlib/xlib_sw_winsys.c | 3 ++-
src/mesa/drivers/x11/xm_buffer.c | 3 ++-
3 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/gallium/winsys/sw/dri/dri_sw_winsys.c
b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
index 761f5d1..2e5970b 100644
--- a/src/gallium/winsys/sw/dri/dri_sw_winsys.c
+++ b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
@@ -92,7 +92,8 @@ alloc_shm(struct dri_sw_displaytarget *dri_sw_dt,
unsigned size)
{
char *addr;
- dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
+ /* 0600 = user read+write */
+ dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
if (dri_sw_dt->shmid < 0)
return NULL;
diff --git a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
index c14c9de..edebb48 100644
--- a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
+++ b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
@@ -126,7 +126,8 @@ alloc_shm(struct xlib_displaytarget *buf,
unsigned size)
shminfo->shmid = -1;
shminfo->shmaddr = (char *) -1;
- shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
+ /* 0600 = user read+write */
+ shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
if (shminfo->shmid < 0) {
return NULL;
}
diff --git a/src/mesa/drivers/x11/xm_buffer.c
b/src/mesa/drivers/x11/xm_buffer.c
index d945d8a..0da08a6 100644
--- a/src/mesa/drivers/x11/xm_buffer.c
+++ b/src/mesa/drivers/x11/xm_buffer.c
@@ -89,8 +89,9 @@ alloc_back_shm_ximage(XMesaBuffer b, GLuint width,
GLuint height)
return GL_FALSE;
}
+ /* 0600 = user read+write */
b->shminfo.shmid = shmget(IPC_PRIVATE,
b->backxrb->ximage->bytes_per_line
- * b->backxrb->ximage->height,
IPC_CREAT|0777);
+ * b->backxrb->ximage->height,
IPC_CREAT | 0600);
if (b->shminfo.shmid < 0) {
_mesa_warning(NULL, "shmget failed while allocating back
buffer.\n");
XDestroyImage(b->backxrb->ximage);
--
1.8.5.6
_______________________________________________
mesa-dev mailing list
mesa-dev@lists.freedesktop.org <mailto:mesa-dev@lists.freedesktop.org>
https://lists.freedesktop.org/mailman/listinfo/mesa-dev
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.freedesktop.org%2Fmailman%2Flistinfo%2Fmesa-dev&data=02%7C01%7Cbrianp%40vmware.com%7Cae41e27c807a41901c9308d758c8b6f7%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637075491402263356&sdata=FDvN5Y%2BHswpYAfg96qF9sDykW7nn9ubkedWkFTKQTU0%3D&reserved=0>
_______________________________________________
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/mesa-dev
