subject:"\[Mesa\-dev\] \[PATCH\] Call shmget\(\) with permission 0600 instead of 0777"

Re: [Mesa-dev] [PATCH] Call shmget() with permission 0600 instead of 0777

2019-11-12 Thread Kristian Høgsberg

Looks good,

Reviewed-by: Kristian H. Kristensen 

On Tue, Nov 12, 2019 at 10:47 AM Brian Paul  wrote:
>
> Ping again.
>
>
> On 10/24/2019 03:25 PM, Brian Paul wrote:
> > Ping.  Anyone?
> >
> > -Brian
> >
> > On Tue, Oct 22, 2019 at 3:52 PM Brian Paul  > > wrote:
> >
> > A security advisory (TALOS-2019-0857/CVE-2019-5068) found that
> > creating shared memory regions with permission mode 0777 could allow
> > any user to access that memory.  Several Mesa drivers use shared-
> > memory XImages to implement back buffers for improved performance.
> >
> > This path changes the shmget() calls to use 0600 (user r/w).
> >
> > Tested with legacy Xlib driver and llvmpipe.
> >
> > Cc: mesa-sta...@lists.freedesktop.org
> > 
> > ---
> >   src/gallium/winsys/sw/dri/dri_sw_winsys.c   | 3 ++-
> >   src/gallium/winsys/sw/xlib/xlib_sw_winsys.c | 3 ++-
> >   src/mesa/drivers/x11/xm_buffer.c| 3 ++-
> >   3 files changed, 6 insertions(+), 3 deletions(-)
> >
> > diff --git a/src/gallium/winsys/sw/dri/dri_sw_winsys.c
> > b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
> > index 761f5d1..2e5970b 100644
> > --- a/src/gallium/winsys/sw/dri/dri_sw_winsys.c
> > +++ b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
> > @@ -92,7 +92,8 @@ alloc_shm(struct dri_sw_displaytarget *dri_sw_dt,
> > unsigned size)
> >   {
> >  char *addr;
> >
> > -   dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
> > +   /* 0600 = user read+write */
> > +   dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
> >  if (dri_sw_dt->shmid < 0)
> > return NULL;
> >
> > diff --git a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
> > b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
> > index c14c9de..edebb48 100644
> > --- a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
> > +++ b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
> > @@ -126,7 +126,8 @@ alloc_shm(struct xlib_displaytarget *buf,
> > unsigned size)
> >  shminfo->shmid = -1;
> >  shminfo->shmaddr = (char *) -1;
> >
> > -   shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
> > +   /* 0600 = user read+write */
> > +   shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
> >  if (shminfo->shmid < 0) {
> > return NULL;
> >  }
> > diff --git a/src/mesa/drivers/x11/xm_buffer.c
> > b/src/mesa/drivers/x11/xm_buffer.c
> > index d945d8a..0da08a6 100644
> > --- a/src/mesa/drivers/x11/xm_buffer.c
> > +++ b/src/mesa/drivers/x11/xm_buffer.c
> > @@ -89,8 +89,9 @@ alloc_back_shm_ximage(XMesaBuffer b, GLuint width,
> > GLuint height)
> > return GL_FALSE;
> >  }
> >
> > +   /* 0600 = user read+write */
> >  b->shminfo.shmid = shmget(IPC_PRIVATE,
> > b->backxrb->ximage->bytes_per_line
> > -* b->backxrb->ximage->height,
> > IPC_CREAT|0777);
> > + * b->backxrb->ximage->height,
> > IPC_CREAT | 0600);
> >  if (b->shminfo.shmid < 0) {
> > _mesa_warning(NULL, "shmget failed while allocating back
> > buffer.\n");
> > XDestroyImage(b->backxrb->ximage);
> > --
> > 1.8.5.6
> >
> > ___
> > mesa-dev mailing list
> > mesa-dev@lists.freedesktop.org 
> > https://lists.freedesktop.org/mailman/listinfo/mesa-dev
> > 
> > 
> >
>
> ___
> mesa-dev mailing list
> mesa-dev@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/mesa-dev
___
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/mesa-dev

Re: [Mesa-dev] [PATCH] Call shmget() with permission 0600 instead of 0777

2019-11-12 Thread Brian Paul


Ping again.


On 10/24/2019 03:25 PM, Brian Paul wrote:

Ping.  Anyone?

-Brian

On Tue, Oct 22, 2019 at 3:52 PM Brian Paul > wrote:


A security advisory (TALOS-2019-0857/CVE-2019-5068) found that
creating shared memory regions with permission mode 0777 could allow
any user to access that memory.  Several Mesa drivers use shared-
memory XImages to implement back buffers for improved performance.

This path changes the shmget() calls to use 0600 (user r/w).

Tested with legacy Xlib driver and llvmpipe.

Cc: mesa-sta...@lists.freedesktop.org

---
  src/gallium/winsys/sw/dri/dri_sw_winsys.c   | 3 ++-
  src/gallium/winsys/sw/xlib/xlib_sw_winsys.c | 3 ++-
  src/mesa/drivers/x11/xm_buffer.c            | 3 ++-
  3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/gallium/winsys/sw/dri/dri_sw_winsys.c
b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
index 761f5d1..2e5970b 100644
--- a/src/gallium/winsys/sw/dri/dri_sw_winsys.c
+++ b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
@@ -92,7 +92,8 @@ alloc_shm(struct dri_sw_displaytarget *dri_sw_dt,
unsigned size)
  {
     char *addr;

-   dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
+   /* 0600 = user read+write */
+   dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
     if (dri_sw_dt->shmid < 0)
        return NULL;

diff --git a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
index c14c9de..edebb48 100644
--- a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
+++ b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
@@ -126,7 +126,8 @@ alloc_shm(struct xlib_displaytarget *buf,
unsigned size)
     shminfo->shmid = -1;
     shminfo->shmaddr = (char *) -1;

-   shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
+   /* 0600 = user read+write */
+   shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
     if (shminfo->shmid < 0) {
        return NULL;
     }
diff --git a/src/mesa/drivers/x11/xm_buffer.c
b/src/mesa/drivers/x11/xm_buffer.c
index d945d8a..0da08a6 100644
--- a/src/mesa/drivers/x11/xm_buffer.c
+++ b/src/mesa/drivers/x11/xm_buffer.c
@@ -89,8 +89,9 @@ alloc_back_shm_ximage(XMesaBuffer b, GLuint width,
GLuint height)
        return GL_FALSE;
     }

+   /* 0600 = user read+write */
     b->shminfo.shmid = shmget(IPC_PRIVATE,
b->backxrb->ximage->bytes_per_line
-                            * b->backxrb->ximage->height,
IPC_CREAT|0777);
+                             * b->backxrb->ximage->height,
IPC_CREAT | 0600);
     if (b->shminfo.shmid < 0) {
        _mesa_warning(NULL, "shmget failed while allocating back
buffer.\n");
        XDestroyImage(b->backxrb->ximage);
-- 
1.8.5.6


___
mesa-dev mailing list
mesa-dev@lists.freedesktop.org 
https://lists.freedesktop.org/mailman/listinfo/mesa-dev





___
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/mesa-dev

Re: [Mesa-dev] [PATCH] Call shmget() with permission 0600 instead of 0777

2019-10-24 Thread Stuart Young

Not my call, but both of these went into my gmail spam folder for DMARC
failures, so a lot of people might not have seen it.

On Fri, 25 Oct 2019 at 08:25, Brian Paul  wrote:

> Ping.  Anyone?
>
> -Brian
>
> On Tue, Oct 22, 2019 at 3:52 PM Brian Paul  wrote:
>
>> A security advisory (TALOS-2019-0857/CVE-2019-5068) found that
>> creating shared memory regions with permission mode 0777 could allow
>> any user to access that memory.  Several Mesa drivers use shared-
>> memory XImages to implement back buffers for improved performance.
>>
>> This path changes the shmget() calls to use 0600 (user r/w).
>>
>> Tested with legacy Xlib driver and llvmpipe.
>>
>> Cc: mesa-sta...@lists.freedesktop.org
>> ---
>>  src/gallium/winsys/sw/dri/dri_sw_winsys.c   | 3 ++-
>>  src/gallium/winsys/sw/xlib/xlib_sw_winsys.c | 3 ++-
>>  src/mesa/drivers/x11/xm_buffer.c| 3 ++-
>>  3 files changed, 6 insertions(+), 3 deletions(-)
>>
>> diff --git a/src/gallium/winsys/sw/dri/dri_sw_winsys.c
>> b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
>> index 761f5d1..2e5970b 100644
>> --- a/src/gallium/winsys/sw/dri/dri_sw_winsys.c
>> +++ b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
>> @@ -92,7 +92,8 @@ alloc_shm(struct dri_sw_displaytarget *dri_sw_dt,
>> unsigned size)
>>  {
>> char *addr;
>>
>> -   dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
>> +   /* 0600 = user read+write */
>> +   dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
>> if (dri_sw_dt->shmid < 0)
>>return NULL;
>>
>> diff --git a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
>> b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
>> index c14c9de..edebb48 100644
>> --- a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
>> +++ b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
>> @@ -126,7 +126,8 @@ alloc_shm(struct xlib_displaytarget *buf, unsigned
>> size)
>> shminfo->shmid = -1;
>> shminfo->shmaddr = (char *) -1;
>>
>> -   shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
>> +   /* 0600 = user read+write */
>> +   shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
>> if (shminfo->shmid < 0) {
>>return NULL;
>> }
>> diff --git a/src/mesa/drivers/x11/xm_buffer.c
>> b/src/mesa/drivers/x11/xm_buffer.c
>> index d945d8a..0da08a6 100644
>> --- a/src/mesa/drivers/x11/xm_buffer.c
>> +++ b/src/mesa/drivers/x11/xm_buffer.c
>> @@ -89,8 +89,9 @@ alloc_back_shm_ximage(XMesaBuffer b, GLuint width,
>> GLuint height)
>>return GL_FALSE;
>> }
>>
>> +   /* 0600 = user read+write */
>> b->shminfo.shmid = shmget(IPC_PRIVATE,
>> b->backxrb->ximage->bytes_per_line
>> -* b->backxrb->ximage->height,
>> IPC_CREAT|0777);
>> + * b->backxrb->ximage->height, IPC_CREAT |
>> 0600);
>> if (b->shminfo.shmid < 0) {
>>_mesa_warning(NULL, "shmget failed while allocating back
>> buffer.\n");
>>XDestroyImage(b->backxrb->ximage);
>> --
>> 1.8.5.6
>>
>> ___
>> mesa-dev mailing list
>> mesa-dev@lists.freedesktop.org
>> https://lists.freedesktop.org/mailman/listinfo/mesa-dev
>
> ___
> mesa-dev mailing list
> mesa-dev@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/mesa-dev



-- 
Stuart Young (aka Cefiar)
___
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/mesa-dev

Re: [Mesa-dev] [PATCH] Call shmget() with permission 0600 instead of 0777

2019-10-24 Thread Brian Paul

Ping.  Anyone?

-Brian

On Tue, Oct 22, 2019 at 3:52 PM Brian Paul  wrote:

> A security advisory (TALOS-2019-0857/CVE-2019-5068) found that
> creating shared memory regions with permission mode 0777 could allow
> any user to access that memory.  Several Mesa drivers use shared-
> memory XImages to implement back buffers for improved performance.
>
> This path changes the shmget() calls to use 0600 (user r/w).
>
> Tested with legacy Xlib driver and llvmpipe.
>
> Cc: mesa-sta...@lists.freedesktop.org
> ---
>  src/gallium/winsys/sw/dri/dri_sw_winsys.c   | 3 ++-
>  src/gallium/winsys/sw/xlib/xlib_sw_winsys.c | 3 ++-
>  src/mesa/drivers/x11/xm_buffer.c| 3 ++-
>  3 files changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/src/gallium/winsys/sw/dri/dri_sw_winsys.c
> b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
> index 761f5d1..2e5970b 100644
> --- a/src/gallium/winsys/sw/dri/dri_sw_winsys.c
> +++ b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
> @@ -92,7 +92,8 @@ alloc_shm(struct dri_sw_displaytarget *dri_sw_dt,
> unsigned size)
>  {
> char *addr;
>
> -   dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
> +   /* 0600 = user read+write */
> +   dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
> if (dri_sw_dt->shmid < 0)
>return NULL;
>
> diff --git a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
> b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
> index c14c9de..edebb48 100644
> --- a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
> +++ b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
> @@ -126,7 +126,8 @@ alloc_shm(struct xlib_displaytarget *buf, unsigned
> size)
> shminfo->shmid = -1;
> shminfo->shmaddr = (char *) -1;
>
> -   shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
> +   /* 0600 = user read+write */
> +   shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
> if (shminfo->shmid < 0) {
>return NULL;
> }
> diff --git a/src/mesa/drivers/x11/xm_buffer.c
> b/src/mesa/drivers/x11/xm_buffer.c
> index d945d8a..0da08a6 100644
> --- a/src/mesa/drivers/x11/xm_buffer.c
> +++ b/src/mesa/drivers/x11/xm_buffer.c
> @@ -89,8 +89,9 @@ alloc_back_shm_ximage(XMesaBuffer b, GLuint width,
> GLuint height)
>return GL_FALSE;
> }
>
> +   /* 0600 = user read+write */
> b->shminfo.shmid = shmget(IPC_PRIVATE,
> b->backxrb->ximage->bytes_per_line
> -* b->backxrb->ximage->height, IPC_CREAT|0777);
> + * b->backxrb->ximage->height, IPC_CREAT |
> 0600);
> if (b->shminfo.shmid < 0) {
>_mesa_warning(NULL, "shmget failed while allocating back
> buffer.\n");
>XDestroyImage(b->backxrb->ximage);
> --
> 1.8.5.6
>
> ___
> mesa-dev mailing list
> mesa-dev@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/mesa-dev
___
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/mesa-dev

[Mesa-dev] [PATCH] Call shmget() with permission 0600 instead of 0777

2019-10-22 Thread Brian Paul

A security advisory (TALOS-2019-0857/CVE-2019-5068) found that
creating shared memory regions with permission mode 0777 could allow
any user to access that memory.  Several Mesa drivers use shared-
memory XImages to implement back buffers for improved performance.

This path changes the shmget() calls to use 0600 (user r/w).

Tested with legacy Xlib driver and llvmpipe.

Cc: mesa-sta...@lists.freedesktop.org
---
 src/gallium/winsys/sw/dri/dri_sw_winsys.c   | 3 ++-
 src/gallium/winsys/sw/xlib/xlib_sw_winsys.c | 3 ++-
 src/mesa/drivers/x11/xm_buffer.c| 3 ++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/gallium/winsys/sw/dri/dri_sw_winsys.c 
b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
index 761f5d1..2e5970b 100644
--- a/src/gallium/winsys/sw/dri/dri_sw_winsys.c
+++ b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
@@ -92,7 +92,8 @@ alloc_shm(struct dri_sw_displaytarget *dri_sw_dt, unsigned 
size)
 {
char *addr;
 
-   dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
+   /* 0600 = user read+write */
+   dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
if (dri_sw_dt->shmid < 0)
   return NULL;
 
diff --git a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c 
b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
index c14c9de..edebb48 100644
--- a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
+++ b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
@@ -126,7 +126,8 @@ alloc_shm(struct xlib_displaytarget *buf, unsigned size)
shminfo->shmid = -1;
shminfo->shmaddr = (char *) -1;
 
-   shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
+   /* 0600 = user read+write */
+   shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
if (shminfo->shmid < 0) {
   return NULL;
}
diff --git a/src/mesa/drivers/x11/xm_buffer.c b/src/mesa/drivers/x11/xm_buffer.c
index d945d8a..0da08a6 100644
--- a/src/mesa/drivers/x11/xm_buffer.c
+++ b/src/mesa/drivers/x11/xm_buffer.c
@@ -89,8 +89,9 @@ alloc_back_shm_ximage(XMesaBuffer b, GLuint width, GLuint 
height)
   return GL_FALSE;
}
 
+   /* 0600 = user read+write */
b->shminfo.shmid = shmget(IPC_PRIVATE, b->backxrb->ximage->bytes_per_line
-* b->backxrb->ximage->height, IPC_CREAT|0777);
+ * b->backxrb->ximage->height, IPC_CREAT | 0600);
if (b->shminfo.shmid < 0) {
   _mesa_warning(NULL, "shmget failed while allocating back buffer.\n");
   XDestroyImage(b->backxrb->ximage);
-- 
1.8.5.6

___
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/mesa-dev

Re: [Mesa-dev] [PATCH] Call shmget() with permission 0600 instead of 0777

Re: [Mesa-dev] [PATCH] Call shmget() with permission 0600 instead of 0777

Re: [Mesa-dev] [PATCH] Call shmget() with permission 0600 instead of 0777

Re: [Mesa-dev] [PATCH] Call shmget() with permission 0600 instead of 0777

[Mesa-dev] [PATCH] Call shmget() with permission 0600 instead of 0777

5 matches

Site Navigation

Mail list logo

Footer information