[Mesa-dev] [PATCH] Call shmget() with permission 0600 instead of 0777

Stuart Young cefiar at gmail.com
Thu Oct 24 21:46:06 UTC 2019


Not my call, but both of these went into my gmail spam folder for DMARC
failures, so a lot of people might not have seen it.

On Fri, 25 Oct 2019 at 08:25, Brian Paul <brian.e.paul at gmail.com> wrote:

> Ping.  Anyone?
>
> -Brian
>
> On Tue, Oct 22, 2019 at 3:52 PM Brian Paul <brianp at vmware.com> wrote:
>
>> A security advisory (TALOS-2019-0857/CVE-2019-5068) found that
>> creating shared memory regions with permission mode 0777 could allow
>> any user to access that memory.  Several Mesa drivers use shared-
>> memory XImages to implement back buffers for improved performance.
>>
>> This path changes the shmget() calls to use 0600 (user r/w).
>>
>> Tested with legacy Xlib driver and llvmpipe.
>>
>> Cc: mesa-stable at lists.freedesktop.org
>> ---
>>  src/gallium/winsys/sw/dri/dri_sw_winsys.c   | 3 ++-
>>  src/gallium/winsys/sw/xlib/xlib_sw_winsys.c | 3 ++-
>>  src/mesa/drivers/x11/xm_buffer.c            | 3 ++-
>>  3 files changed, 6 insertions(+), 3 deletions(-)
>>
>> diff --git a/src/gallium/winsys/sw/dri/dri_sw_winsys.c
>> b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
>> index 761f5d1..2e5970b 100644
>> --- a/src/gallium/winsys/sw/dri/dri_sw_winsys.c
>> +++ b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
>> @@ -92,7 +92,8 @@ alloc_shm(struct dri_sw_displaytarget *dri_sw_dt,
>> unsigned size)
>>  {
>>     char *addr;
>>
>> -   dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
>> +   /* 0600 = user read+write */
>> +   dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
>>     if (dri_sw_dt->shmid < 0)
>>        return NULL;
>>
>> diff --git a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
>> b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
>> index c14c9de..edebb48 100644
>> --- a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
>> +++ b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
>> @@ -126,7 +126,8 @@ alloc_shm(struct xlib_displaytarget *buf, unsigned
>> size)
>>     shminfo->shmid = -1;
>>     shminfo->shmaddr = (char *) -1;
>>
>> -   shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
>> +   /* 0600 = user read+write */
>> +   shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
>>     if (shminfo->shmid < 0) {
>>        return NULL;
>>     }
>> diff --git a/src/mesa/drivers/x11/xm_buffer.c
>> b/src/mesa/drivers/x11/xm_buffer.c
>> index d945d8a..0da08a6 100644
>> --- a/src/mesa/drivers/x11/xm_buffer.c
>> +++ b/src/mesa/drivers/x11/xm_buffer.c
>> @@ -89,8 +89,9 @@ alloc_back_shm_ximage(XMesaBuffer b, GLuint width,
>> GLuint height)
>>        return GL_FALSE;
>>     }
>>
>> +   /* 0600 = user read+write */
>>     b->shminfo.shmid = shmget(IPC_PRIVATE,
>> b->backxrb->ximage->bytes_per_line
>> -                            * b->backxrb->ximage->height,
>> IPC_CREAT|0777);
>> +                             * b->backxrb->ximage->height, IPC_CREAT |
>> 0600);
>>     if (b->shminfo.shmid < 0) {
>>        _mesa_warning(NULL, "shmget failed while allocating back
>> buffer.\n");
>>        XDestroyImage(b->backxrb->ximage);
>> --
>> 1.8.5.6
>>
>> _______________________________________________
>> mesa-dev mailing list
>> mesa-dev at lists.freedesktop.org
>> https://lists.freedesktop.org/mailman/listinfo/mesa-dev
>
> _______________________________________________
> mesa-dev mailing list
> mesa-dev at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/mesa-dev



-- 
Stuart Young (aka Cefiar)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20191025/d6c46a4e/attachment-0001.html>


More information about the mesa-dev mailing list