<div dir="ltr"><div>Ping. Anyone?</div><div><br></div><div>-Brian<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Oct 22, 2019 at 3:52 PM Brian Paul <<a href="mailto:brianp@vmware.com">brianp@vmware.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">A security advisory (TALOS-2019-0857/CVE-2019-5068) found that<br>
creating shared memory regions with permission mode 0777 could allow<br>
any user to access that memory. Several Mesa drivers use shared-<br>
memory XImages to implement back buffers for improved performance.<br>
<br>
This path changes the shmget() calls to use 0600 (user r/w).<br>
<br>
Tested with legacy Xlib driver and llvmpipe.<br>
<br>
Cc: <a href="mailto:mesa-stable@lists.freedesktop.org" target="_blank">mesa-stable@lists.freedesktop.org</a><br>
---<br>
src/gallium/winsys/sw/dri/dri_sw_winsys.c | 3 ++-<br>
src/gallium/winsys/sw/xlib/xlib_sw_winsys.c | 3 ++-<br>
src/mesa/drivers/x11/xm_buffer.c | 3 ++-<br>
3 files changed, 6 insertions(+), 3 deletions(-)<br>
<br>
diff --git a/src/gallium/winsys/sw/dri/dri_sw_winsys.c b/src/gallium/winsys/sw/dri/dri_sw_winsys.c<br>
index 761f5d1..2e5970b 100644<br>
--- a/src/gallium/winsys/sw/dri/dri_sw_winsys.c<br>
+++ b/src/gallium/winsys/sw/dri/dri_sw_winsys.c<br>
@@ -92,7 +92,8 @@ alloc_shm(struct dri_sw_displaytarget *dri_sw_dt, unsigned size)<br>
{<br>
char *addr;<br>
<br>
- dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);<br>
+ /* 0600 = user read+write */<br>
+ dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);<br>
if (dri_sw_dt->shmid < 0)<br>
return NULL;<br>
<br>
diff --git a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c<br>
index c14c9de..edebb48 100644<br>
--- a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c<br>
+++ b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c<br>
@@ -126,7 +126,8 @@ alloc_shm(struct xlib_displaytarget *buf, unsigned size)<br>
shminfo->shmid = -1;<br>
shminfo->shmaddr = (char *) -1;<br>
<br>
- shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);<br>
+ /* 0600 = user read+write */<br>
+ shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);<br>
if (shminfo->shmid < 0) {<br>
return NULL;<br>
}<br>
diff --git a/src/mesa/drivers/x11/xm_buffer.c b/src/mesa/drivers/x11/xm_buffer.c<br>
index d945d8a..0da08a6 100644<br>
--- a/src/mesa/drivers/x11/xm_buffer.c<br>
+++ b/src/mesa/drivers/x11/xm_buffer.c<br>
@@ -89,8 +89,9 @@ alloc_back_shm_ximage(XMesaBuffer b, GLuint width, GLuint height)<br>
return GL_FALSE;<br>
}<br>
<br>
+ /* 0600 = user read+write */<br>
b->shminfo.shmid = shmget(IPC_PRIVATE, b->backxrb->ximage->bytes_per_line<br>
- * b->backxrb->ximage->height, IPC_CREAT|0777);<br>
+ * b->backxrb->ximage->height, IPC_CREAT | 0600);<br>
if (b->shminfo.shmid < 0) {<br>
_mesa_warning(NULL, "shmget failed while allocating back buffer.\n");<br>
XDestroyImage(b->backxrb->ximage);<br>
-- <br>
1.8.5.6<br>
<br>
_______________________________________________<br>
mesa-dev mailing list<br>
<a href="mailto:mesa-dev@lists.freedesktop.org" target="_blank">mesa-dev@lists.freedesktop.org</a><br>
<a href="https://lists.freedesktop.org/mailman/listinfo/mesa-dev" rel="noreferrer" target="_blank">https://lists.freedesktop.org/mailman/listinfo/mesa-dev</a></blockquote></div></div>