Re: [Mesa-dev] [PATCH] Call shmget() with permission 0600 instead of 0777

Thu, 24 Oct 2019 14:26:30 -0700 

Ping.  Anyone?

-Brian

On Tue, Oct 22, 2019 at 3:52 PM Brian Paul <bri...@vmware.com> wrote:

> A security advisory (TALOS-2019-0857/CVE-2019-5068) found that
> creating shared memory regions with permission mode 0777 could allow
> any user to access that memory.  Several Mesa drivers use shared-
> memory XImages to implement back buffers for improved performance.
>
> This path changes the shmget() calls to use 0600 (user r/w).
>
> Tested with legacy Xlib driver and llvmpipe.
>
> Cc: mesa-sta...@lists.freedesktop.org
> ---
>  src/gallium/winsys/sw/dri/dri_sw_winsys.c   | 3 ++-
>  src/gallium/winsys/sw/xlib/xlib_sw_winsys.c | 3 ++-
>  src/mesa/drivers/x11/xm_buffer.c            | 3 ++-
>  3 files changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/src/gallium/winsys/sw/dri/dri_sw_winsys.c
> b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
> index 761f5d1..2e5970b 100644
> --- a/src/gallium/winsys/sw/dri/dri_sw_winsys.c
> +++ b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
> @@ -92,7 +92,8 @@ alloc_shm(struct dri_sw_displaytarget *dri_sw_dt,
> unsigned size)
>  {
>     char *addr;
>
> -   dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
> +   /* 0600 = user read+write */
> +   dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
>     if (dri_sw_dt->shmid < 0)
>        return NULL;
>
> diff --git a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
> b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
> index c14c9de..edebb48 100644
> --- a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
> +++ b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
> @@ -126,7 +126,8 @@ alloc_shm(struct xlib_displaytarget *buf, unsigned
> size)
>     shminfo->shmid = -1;
>     shminfo->shmaddr = (char *) -1;
>
> -   shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
> +   /* 0600 = user read+write */
> +   shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
>     if (shminfo->shmid < 0) {
>        return NULL;
>     }
> diff --git a/src/mesa/drivers/x11/xm_buffer.c
> b/src/mesa/drivers/x11/xm_buffer.c
> index d945d8a..0da08a6 100644
> --- a/src/mesa/drivers/x11/xm_buffer.c
> +++ b/src/mesa/drivers/x11/xm_buffer.c
> @@ -89,8 +89,9 @@ alloc_back_shm_ximage(XMesaBuffer b, GLuint width,
> GLuint height)
>        return GL_FALSE;
>     }
>
> +   /* 0600 = user read+write */
>     b->shminfo.shmid = shmget(IPC_PRIVATE,
> b->backxrb->ximage->bytes_per_line
> -                            * b->backxrb->ximage->height, IPC_CREAT|0777);
> +                             * b->backxrb->ximage->height, IPC_CREAT |
> 0600);
>     if (b->shminfo.shmid < 0) {
>        _mesa_warning(NULL, "shmget failed while allocating back
> buffer.\n");
>        XDestroyImage(b->backxrb->ximage);
> --
> 1.8.5.6
>
> _______________________________________________
> mesa-dev mailing list
> mesa-dev@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/mesa-dev

_______________________________________________
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/mesa-dev

Reply via email to