Skip to content
Snippets Groups Projects
Commit 023ddb01 authored by Brian Paul's avatar Brian Paul Committed by Dylan Baker
Browse files

Call shmget() with permission 0600 instead of 0777


A security advisory (TALOS-2019-0857/CVE-2019-5068) found that
creating shared memory regions with permission mode 0777 could allow
any user to access that memory.  Several Mesa drivers use shared-
memory XImages to implement back buffers for improved performance.

This path changes the shmget() calls to use 0600 (user r/w).

Tested with legacy Xlib driver and llvmpipe.

Cc: mesa-stable@lists.freedesktop.org
Reviewed-by: default avatarKristian H. Kristensen <hoegsberg@google.com>
(cherry picked from commit 02c3dad0)
parent 3199172e
No related branches found
No related tags found
No related merge requests found
......@@ -92,7 +92,8 @@ alloc_shm(struct dri_sw_displaytarget *dri_sw_dt, unsigned size)
{
char *addr;
dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
/* 0600 = user read+write */
dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
if (dri_sw_dt->shmid < 0)
return NULL;
......
......@@ -126,7 +126,8 @@ alloc_shm(struct xlib_displaytarget *buf, unsigned size)
shminfo->shmid = -1;
shminfo->shmaddr = (char *) -1;
shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
/* 0600 = user read+write */
shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
if (shminfo->shmid < 0) {
return NULL;
}
......
......@@ -89,8 +89,9 @@ alloc_back_shm_ximage(XMesaBuffer b, GLuint width, GLuint height)
return GL_FALSE;
}
/* 0600 = user read+write */
b->shminfo.shmid = shmget(IPC_PRIVATE, b->backxrb->ximage->bytes_per_line
* b->backxrb->ximage->height, IPC_CREAT|0777);
* b->backxrb->ximage->height, IPC_CREAT | 0600);
if (b->shminfo.shmid < 0) {
_mesa_warning(NULL, "shmget failed while allocating back buffer.\n");
XDestroyImage(b->backxrb->ximage);
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment