[Glamor] glamor_egl_create_textured_pixmap is insecure

Zhigang Gong zhigang.gong at gmail.com
Thu Jan 23 08:19:18 PST 2014


Or can we just limit the lifetime of the flink-name within the texture
creation function? Is that doable?

On Fri, Jan 24, 2014 at 12:16 AM, Alex Deucher <alexdeucher at gmail.com> wrote:
> On Thu, Jan 23, 2014 at 11:07 AM, Zhigang Gong <zhigang.gong at gmail.com> wrote:
>> On Thu, Jan 23, 2014 at 9:55 PM,  <davyaxel at free.fr> wrote:
>>>
>>> On 23/01/2014, Zhigang Gong wrote :
>>>> On Mon, Jan 20, 2014 at 6:26 AM,  <davyaxel at free.fr> wrote:
>>>>> Hello,
>>>>>
>>>>> I just realized that the X glamor DDXs use the glamor_egl_create_textured_pixmap
>>>>> (or glamor_egl_create_textured_screen_ext) for many pixmaps, including the screen pixmap.
>>>>>
>>>>> glamor_egl_create_textured_pixmap will flink the handle, get a GEM name and use it to import the buffer.
>>>>>
>>>>> If I'm correct, this is highly insecure (an attacker knows most likely the screen resolution,
>>>>> and can guess the GEM name attributed to the screen pixmap).
>>>> Not quite sure I understand what you say here. Could you explain a
>>>> little bit more how an attacker could
>>>> attack the system here? Glamor is used by the DDX driver which will
>>>> not export any interface to normal
>>>> application, right? Thanks.
>>>
>>> As long as we get a Gem Name from a buffer, an attacker can get access to it.
>>>
>>> I advise you have a look at this presentation:
>>> http://www.x.org/wiki/Events/XDC2013/XDC2013DavidHerrmannDRMSecurity/
>>>
>>> Given the screen size is known, and it's a first gem name created at boot, the buffer size and the gem name are predictable.
>> Thanks for the explanation.  This is indeed insecure, and I think we
>> need to fix this in version 0.6.
>
> Can we do this after the next glamor release?  This is not a new
> problem and support for prime fds still requires outstanding patches
> to mesa for radeon and nv hardware.
>
> Alex


More information about the Glamor mailing list