Commit 02c3dad0 authored by Brian Paul's avatar Brian Paul

Call shmget() with permission 0600 instead of 0777

A security advisory (TALOS-2019-0857/CVE-2019-5068) found that
creating shared memory regions with permission mode 0777 could allow
any user to access that memory.  Several Mesa drivers use shared-
memory XImages to implement back buffers for improved performance.

This path changes the shmget() calls to use 0600 (user r/w).

Tested with legacy Xlib driver and llvmpipe.

Cc: mesa-stable@lists.freedesktop.org
Reviewed-by: Kristian H. Kristensen's avatarKristian H. Kristensen <hoegsberg@google.com>
parent fdaf8144
Pipeline #80208 passed with stages
in 30 minutes and 53 seconds
......@@ -92,7 +92,8 @@ alloc_shm(struct dri_sw_displaytarget *dri_sw_dt, unsigned size)
{
char *addr;
dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
/* 0600 = user read+write */
dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
if (dri_sw_dt->shmid < 0)
return NULL;
......
......@@ -126,7 +126,8 @@ alloc_shm(struct xlib_displaytarget *buf, unsigned size)
shminfo->shmid = -1;
shminfo->shmaddr = (char *) -1;
shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
/* 0600 = user read+write */
shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
if (shminfo->shmid < 0) {
return NULL;
}
......
......@@ -89,8 +89,9 @@ alloc_back_shm_ximage(XMesaBuffer b, GLuint width, GLuint height)
return GL_FALSE;
}
/* 0600 = user read+write */
b->shminfo.shmid = shmget(IPC_PRIVATE, b->backxrb->ximage->bytes_per_line
* b->backxrb->ximage->height, IPC_CREAT|0777);
* b->backxrb->ximage->height, IPC_CREAT | 0600);
if (b->shminfo.shmid < 0) {
_mesa_warning(NULL, "shmget failed while allocating back buffer.\n");
XDestroyImage(b->backxrb->ximage);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment