summaryrefslogtreecommitdiffstats
path: root/src/gallium
diff options
context:
space:
mode:
authorBrian Paul <[email protected]>2019-10-09 12:05:16 -0600
committerBrian Paul <[email protected]>2019-11-18 12:28:59 -0700
commit02c3dad0f3b4d26e0faa5cc51d06bc50d693dcdc (patch)
tree701aeb05da830be270d1ff8a663c1dd8c991a871 /src/gallium
parentfdaf8144a8bf65afa7dc66b8d827da38e27a850a (diff)
Call shmget() with permission 0600 instead of 0777
A security advisory (TALOS-2019-0857/CVE-2019-5068) found that creating shared memory regions with permission mode 0777 could allow any user to access that memory. Several Mesa drivers use shared- memory XImages to implement back buffers for improved performance. This path changes the shmget() calls to use 0600 (user r/w). Tested with legacy Xlib driver and llvmpipe. Cc: [email protected] Reviewed-by: Kristian H. Kristensen <[email protected]>
Diffstat (limited to 'src/gallium')
-rw-r--r--src/gallium/winsys/sw/dri/dri_sw_winsys.c3
-rw-r--r--src/gallium/winsys/sw/xlib/xlib_sw_winsys.c3
2 files changed, 4 insertions, 2 deletions
diff --git a/src/gallium/winsys/sw/dri/dri_sw_winsys.c b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
index cbccf4d01df..6173147a1ff 100644
--- a/src/gallium/winsys/sw/dri/dri_sw_winsys.c
+++ b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
@@ -92,7 +92,8 @@ alloc_shm(struct dri_sw_displaytarget *dri_sw_dt, unsigned size)
{
char *addr;
- dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
+ /* 0600 = user read+write */
+ dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
if (dri_sw_dt->shmid < 0)
return NULL;
diff --git a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
index be28fae3df2..8e97f0a24af 100644
--- a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
+++ b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
@@ -126,7 +126,8 @@ alloc_shm(struct xlib_displaytarget *buf, unsigned size)
shminfo->shmid = -1;
shminfo->shmaddr = (char *) -1;
- shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
+ /* 0600 = user read+write */
+ shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
if (shminfo->shmid < 0) {
return NULL;
}