[Glamor] glamor_egl_create_textured_pixmap is insecure
Zhigang Gong
zhigang.gong at gmail.com
Thu Jan 23 08:07:33 PST 2014
On Thu, Jan 23, 2014 at 9:55 PM, <davyaxel at free.fr> wrote:
>
> On 23/01/2014, Zhigang Gong wrote :
>> On Mon, Jan 20, 2014 at 6:26 AM, <davyaxel at free.fr> wrote:
>>> Hello,
>>>
>>> I just realized that the X glamor DDXs use the glamor_egl_create_textured_pixmap
>>> (or glamor_egl_create_textured_screen_ext) for many pixmaps, including the screen pixmap.
>>>
>>> glamor_egl_create_textured_pixmap will flink the handle, get a GEM name and use it to import the buffer.
>>>
>>> If I'm correct, this is highly insecure (an attacker knows most likely the screen resolution,
>>> and can guess the GEM name attributed to the screen pixmap).
>> Not quite sure I understand what you say here. Could you explain a
>> little bit more how an attacker could
>> attack the system here? Glamor is used by the DDX driver which will
>> not export any interface to normal
>> application, right? Thanks.
>
> As long as we get a Gem Name from a buffer, an attacker can get access to it.
>
> I advise you have a look at this presentation:
> http://www.x.org/wiki/Events/XDC2013/XDC2013DavidHerrmannDRMSecurity/
>
> Given the screen size is known, and it's a first gem name created at boot, the buffer size and the gem name are predictable.
Thanks for the explanation. This is indeed insecure, and I think we
need to fix this in version 0.6.
>
> Axel Davy
More information about the Glamor
mailing list