projects / mesa.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fdaf814)
Call shmget() with permission 0600 instead of 0777
authorBrian Paul <brianp@vmware.com>
Wed, 9 Oct 2019 18:05:16 +0000 (12:05 -0600)
committerBrian Paul <brianp@vmware.com>
Mon, 18 Nov 2019 19:28:59 +0000 (12:28 -0700)
A security advisory (TALOS-2019-0857/CVE-2019-5068) found that
creating shared memory regions with permission mode 0777 could allow
any user to access that memory.  Several Mesa drivers use shared-
memory XImages to implement back buffers for improved performance.

This path changes the shmget() calls to use 0600 (user r/w).

Tested with legacy Xlib driver and llvmpipe.

Cc: mesa-stable@lists.freedesktop.org
Reviewed-by: Kristian H. Kristensen <hoegsberg@google.com>
src/gallium/winsys/sw/dri/dri_sw_winsys.c patch | blob | history
src/gallium/winsys/sw/xlib/xlib_sw_winsys.c patch | blob | history
src/mesa/drivers/x11/xm_buffer.c patch | blob | history

diff --git a/src/gallium/winsys/sw/dri/dri_sw_winsys.c b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
index cbccf4d01dfb779a16317cd45f29863270916d75..6173147a1ff10234b40685c3a295c682a0078faa 100644 (file)
--- a/src/gallium/winsys/sw/dri/dri_sw_winsys.c
+++ b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
@@ -92,7 +92,8 @@ alloc_shm(struct dri_sw_displaytarget *dri_sw_dt, unsigned size)
 {
    char *addr;
 
-   dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
+   /* 0600 = user read+write */
+   dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
    if (dri_sw_dt->shmid < 0)
       return NULL;
 
diff --git a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
index be28fae3df2ec3d47ccacdc22bf1ff5c57e3e767..8e97f0a24af589f5b14cafa3d8be3f36877ec4fe 100644 (file)
--- a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
+++ b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
@@ -126,7 +126,8 @@ alloc_shm(struct xlib_displaytarget *buf, unsigned size)
    shminfo->shmid = -1;
    shminfo->shmaddr = (char *) -1;
 
-   shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
+   /* 0600 = user read+write */
+   shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
    if (shminfo->shmid < 0) {
       return NULL;
    }
diff --git a/src/mesa/drivers/x11/xm_buffer.c b/src/mesa/drivers/x11/xm_buffer.c
index d945d8af556da5c3b91b96e2442972f6b9ab0e58..0da08a6e64d483fbcc2f5251acb60ee5f3cf1437 100644 (file)
--- a/src/mesa/drivers/x11/xm_buffer.c
+++ b/src/mesa/drivers/x11/xm_buffer.c
@@ -89,8 +89,9 @@ alloc_back_shm_ximage(XMesaBuffer b, GLuint width, GLuint height)
       return GL_FALSE;
    }
 
+   /* 0600 = user read+write */
    b->shminfo.shmid = shmget(IPC_PRIVATE, b->backxrb->ximage->bytes_per_line
-                            * b->backxrb->ximage->height, IPC_CREAT|0777);
+                             * b->backxrb->ximage->height, IPC_CREAT | 0600);
    if (b->shminfo.shmid < 0) {
       _mesa_warning(NULL, "shmget failed while allocating back buffer.\n");
       XDestroyImage(b->backxrb->ximage);