[Glamor] glamor_egl_create_textured_pixmap is insecure
Alex Deucher
alexdeucher at gmail.com
Thu Jan 23 08:16:43 PST 2014
On Thu, Jan 23, 2014 at 11:07 AM, Zhigang Gong <zhigang.gong at gmail.com> wrote:
> On Thu, Jan 23, 2014 at 9:55 PM, <davyaxel at free.fr> wrote:
>>
>> On 23/01/2014, Zhigang Gong wrote :
>>> On Mon, Jan 20, 2014 at 6:26 AM, <davyaxel at free.fr> wrote:
>>>> Hello,
>>>>
>>>> I just realized that the X glamor DDXs use the glamor_egl_create_textured_pixmap
>>>> (or glamor_egl_create_textured_screen_ext) for many pixmaps, including the screen pixmap.
>>>>
>>>> glamor_egl_create_textured_pixmap will flink the handle, get a GEM name and use it to import the buffer.
>>>>
>>>> If I'm correct, this is highly insecure (an attacker knows most likely the screen resolution,
>>>> and can guess the GEM name attributed to the screen pixmap).
>>> Not quite sure I understand what you say here. Could you explain a
>>> little bit more how an attacker could
>>> attack the system here? Glamor is used by the DDX driver which will
>>> not export any interface to normal
>>> application, right? Thanks.
>>
>> As long as we get a Gem Name from a buffer, an attacker can get access to it.
>>
>> I advise you have a look at this presentation:
>> http://www.x.org/wiki/Events/XDC2013/XDC2013DavidHerrmannDRMSecurity/
>>
>> Given the screen size is known, and it's a first gem name created at boot, the buffer size and the gem name are predictable.
> Thanks for the explanation. This is indeed insecure, and I think we
> need to fix this in version 0.6.
Can we do this after the next glamor release? This is not a new
problem and support for prime fds still requires outstanding patches
to mesa for radeon and nv hardware.
Alex
More information about the Glamor
mailing list