[Glamor] glamor_egl_create_textured_pixmap is insecure
Zhigang Gong
zhigang.gong at gmail.com
Thu Jan 23 05:18:57 PST 2014
On Mon, Jan 20, 2014 at 6:26 AM, <davyaxel at free.fr> wrote:
> Hello,
>
> I just realized that the X glamor DDXs use the glamor_egl_create_textured_pixmap
> (or glamor_egl_create_textured_screen_ext) for many pixmaps, including the screen pixmap.
>
> glamor_egl_create_textured_pixmap will flink the handle, get a GEM name and use it to import the buffer.
>
> If I'm correct, this is highly insecure (an attacker knows most likely the screen resolution,
> and can guess the GEM name attributed to the screen pixmap).
Not quite sure I understand what you say here. Could you explain a
little bit more how an attacker could
attack the system here? Glamor is used by the DDX driver which will
not export any interface to normal
application, right? Thanks.
>
> Since we have now a way to use Prime fds to import the buffers,
> I think glamor_egl_create_textured_pixmap should be modified to:
> . if importing Prime fds is possible (not yet for radeon/nouveau cards, just need a small patch to be merged in Mesa)
> -> generate a prime fd from the given handle
> -> import the fd with a similar code than the dri3 code
> . if that failed, then use Gem names.
>
>
> I don't have time these weeks to work on that,
> so if you think this is a serious security issue enough,
> then don't hesitate to work on it before I do.
>
> Axel Davy
> _______________________________________________
> Glamor mailing list
> Glamor at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/glamor
More information about the Glamor
mailing list