[Glamor] glamor_egl_create_textured_pixmap is insecure
davyaxel at free.fr
davyaxel at free.fr
Thu Jan 23 05:55:03 PST 2014
On 23/01/2014, Zhigang Gong wrote :
> On Mon, Jan 20, 2014 at 6:26 AM, <davyaxel at free.fr> wrote:
>> Hello,
>>
>> I just realized that the X glamor DDXs use the glamor_egl_create_textured_pixmap
>> (or glamor_egl_create_textured_screen_ext) for many pixmaps, including the screen pixmap.
>>
>> glamor_egl_create_textured_pixmap will flink the handle, get a GEM name and use it to import the buffer.
>>
>> If I'm correct, this is highly insecure (an attacker knows most likely the screen resolution,
>> and can guess the GEM name attributed to the screen pixmap).
> Not quite sure I understand what you say here. Could you explain a
> little bit more how an attacker could
> attack the system here? Glamor is used by the DDX driver which will
> not export any interface to normal
> application, right? Thanks.
As long as we get a Gem Name from a buffer, an attacker can get access to it.
I advise you have a look at this presentation:
http://www.x.org/wiki/Events/XDC2013/XDC2013DavidHerrmannDRMSecurity/
Given the screen size is known, and it's a first gem name created at boot, the buffer size and the gem name are predictable.
Axel Davy
More information about the Glamor
mailing list