I reviewed vulkan-loader version 1.1.101.0-2_amd64 as checked into
disco. This shouldn't be considered a full security audit but rather a
quick check of maintainability.
- No CVE history in our database
- vulkan-loader provides support for loading the main vulkan library,
handling layer and driver management including multi-gpu support to
dispatch API calls to the correct driver and layer.
- Depends: debhelper, cmake, googletest, libwayland-dev, libx11-dev,
libxcb1-dev, libxrandr-dev, pkg-config, python3
- Does not itself do networking
- No cryptography
- Does not daemonize
- No pre/post inst/rm
- No init scripts
- No dbus services
- No setuid files
- No binaries in the PATH
- No sudo fragments
- No udev rules
- A test suite is run during the build (as noted in the log, 23 of the
tests fail due to missing vulkan driver but as this is expected this
is not a concern)
- No cron jobs
- 3 warnings in build logs about memory allocation functions which
declare as returning void * but are used for functions which expect an
unsigned long * return value - these can safely be ignored
- No cppcheck warnings
- No subprocesses spawned
- Memory management is very careful in general, however I noticed that
the loader allocates a buffer on stack for reading in ICD JSON
descriptions - this uses the length of the JSON file as the length of
the buffer to allocate and since these files can be user controlled it
could be relatively easily exploited by dropping a very large JSON
file to overrun the stack (since uses alloca() internally which has
undefined behaviour if stack is overflown) - this might be worth
investigating further but is really only a denial of service issue so
not a high priority and no chance of privilege escalation etc
- Otherwise most memory management is quite careful, allocation return
values are checked for failure, buffer lengths are checked, string
lengths are checked and handled correctly etc.
- Does not itself do file IO beyond reading JSON as described above
- Logging is careful
- Uses the following environment variables:
- VK_LOADER_DISABLE_INST_EXT_FILTER
- VK_LOADER_DEBUG
- XDG_CONFIG_DIRS
- XDG_DATA_DIRS
- XDG_DATA_HOME
- HOME
- No privileged code sections
- No privileged functions
- No networking
- No temp files
- No WebKit
- No PolKit
Security team ACK for promoting vulkan-loader to main for disco.
** Changed in: vulkan-loader (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu-X,
which is subscribed to vulkan-loader in Ubuntu.
https://bugs.launchpad.net/bugs/1742711
Title:
MIR: vulkan-loader
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/vulkan-loader/+bug/1742711/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~ubuntu-x-swat
Post to : ubuntu-x-swat@lists.launchpad.net
Unsubscribe : https://launchpad.net/~ubuntu-x-swat
More help : https://help.launchpad.net/ListHelp
