[Mesa-dev] [PATCH] Call shmget() with permission 0600 instead of 0777
Stuart Young
cefiar at gmail.com
Thu Oct 24 21:46:06 UTC 2019
Not my call, but both of these went into my gmail spam folder for DMARC
failures, so a lot of people might not have seen it.
On Fri, 25 Oct 2019 at 08:25, Brian Paul <brian.e.paul at gmail.com> wrote:
> Ping. Anyone?
>
> -Brian
>
> On Tue, Oct 22, 2019 at 3:52 PM Brian Paul <brianp at vmware.com> wrote:
>
>> A security advisory (TALOS-2019-0857/CVE-2019-5068) found that
>> creating shared memory regions with permission mode 0777 could allow
>> any user to access that memory. Several Mesa drivers use shared-
>> memory XImages to implement back buffers for improved performance.
>>
>> This path changes the shmget() calls to use 0600 (user r/w).
>>
>> Tested with legacy Xlib driver and llvmpipe.
>>
>> Cc: mesa-stable at lists.freedesktop.org
>> ---
>> src/gallium/winsys/sw/dri/dri_sw_winsys.c | 3 ++-
>> src/gallium/winsys/sw/xlib/xlib_sw_winsys.c | 3 ++-
>> src/mesa/drivers/x11/xm_buffer.c | 3 ++-
>> 3 files changed, 6 insertions(+), 3 deletions(-)
>>
>> diff --git a/src/gallium/winsys/sw/dri/dri_sw_winsys.c
>> b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
>> index 761f5d1..2e5970b 100644
>> --- a/src/gallium/winsys/sw/dri/dri_sw_winsys.c
>> +++ b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
>> @@ -92,7 +92,8 @@ alloc_shm(struct dri_sw_displaytarget *dri_sw_dt,
>> unsigned size)
>> {
>> char *addr;
>>
>> - dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
>> + /* 0600 = user read+write */
>> + dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
>> if (dri_sw_dt->shmid < 0)
>> return NULL;
>>
>> diff --git a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
>> b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
>> index c14c9de..edebb48 100644
>> --- a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
>> +++ b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
>> @@ -126,7 +126,8 @@ alloc_shm(struct xlib_displaytarget *buf, unsigned
>> size)
>> shminfo->shmid = -1;
>> shminfo->shmaddr = (char *) -1;
>>
>> - shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
>> + /* 0600 = user read+write */
>> + shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
>> if (shminfo->shmid < 0) {
>> return NULL;
>> }
>> diff --git a/src/mesa/drivers/x11/xm_buffer.c
>> b/src/mesa/drivers/x11/xm_buffer.c
>> index d945d8a..0da08a6 100644
>> --- a/src/mesa/drivers/x11/xm_buffer.c
>> +++ b/src/mesa/drivers/x11/xm_buffer.c
>> @@ -89,8 +89,9 @@ alloc_back_shm_ximage(XMesaBuffer b, GLuint width,
>> GLuint height)
>> return GL_FALSE;
>> }
>>
>> + /* 0600 = user read+write */
>> b->shminfo.shmid = shmget(IPC_PRIVATE,
>> b->backxrb->ximage->bytes_per_line
>> - * b->backxrb->ximage->height,
>> IPC_CREAT|0777);
>> + * b->backxrb->ximage->height, IPC_CREAT |
>> 0600);
>> if (b->shminfo.shmid < 0) {
>> _mesa_warning(NULL, "shmget failed while allocating back
>> buffer.\n");
>> XDestroyImage(b->backxrb->ximage);
>> --
>> 1.8.5.6
>>
>> _______________________________________________
>> mesa-dev mailing list
>> mesa-dev at lists.freedesktop.org
>> https://lists.freedesktop.org/mailman/listinfo/mesa-dev
>
> _______________________________________________
> mesa-dev mailing list
> mesa-dev at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/mesa-dev
--
Stuart Young (aka Cefiar)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20191025/d6c46a4e/attachment-0001.html>
More information about the mesa-dev
mailing list