[Glamor] glamor_egl_create_textured_pixmap is insecure

davyaxel at free.fr davyaxel at free.fr
Sun Jan 19 14:26:03 PST 2014


Hello,

I just realized that the X glamor DDXs use the glamor_egl_create_textured_pixmap
(or glamor_egl_create_textured_screen_ext) for many pixmaps, including the screen pixmap.

glamor_egl_create_textured_pixmap will flink the handle, get a GEM name and use it to import the buffer.

If I'm correct, this is highly insecure (an attacker knows most likely the screen resolution,
and can guess the GEM name attributed to the screen pixmap).

Since we have now a way to use Prime fds to import the buffers,
I think glamor_egl_create_textured_pixmap should be modified to:
. if importing Prime fds is possible (not yet for radeon/nouveau cards, just need a small patch to be merged in Mesa)
-> generate a prime fd from the given handle
-> import the fd with a similar code than the dri3 code
. if that failed, then use Gem names.


I don't have time these weeks to work on that,
so if you think this is a serious security issue enough,
then don't hesitate to work on it before I do.

Axel Davy


More information about the Glamor mailing list