rpm/Mesa
SHA256
1
0
Fork 0
forked from pool/Mesa
Code Pull Requests Activity

- u_call-shmget-with-permission-0600-instead-of-0777.patch

Browse Source 
* CVE-2019-5068 (bsc#1156015)

OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/Mesa?expand=0&rev=900
This commit is contained in:
Stefan Dirsch 2019-11-14 14:52:13 +00:00 committed by Git OBS Bridge
parent 6c0bceff1b
commit 573aa2f241
5 changed files with 77 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Mesa-drivers.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Thu Nov 14 14:36:08 UTC 2019 - Stefan Dirsch <sndirsch@suse.com>
- u_call-shmget-with-permission-0600-instead-of-0777.patch
* CVE-2019-5068 (bsc#1156015)
-------------------------------------------------------------------
Thu Nov 14 10:15:13 UTC 2019 - Stefan Dirsch <sndirsch@suse.com>

2
Mesa-drivers.spec
View File

@ -126,6 +126,7 @@ Source6: %{name}-rpmlintrc
Source7: Mesa.keyring
Patch1: n_opencl_dep_libclang.patch
Patch2: n_add-Mesa-headers-again.patch
Patch3: u_call-shmget-with-permission-0600-instead-of-0777.patch
# never to be upstreamed
Patch54: n_drirc-disable-rgb10-for-chromium-on-amd.patch
Patch58: u_dep_xcb.patch
@ -733,6 +734,7 @@ rm -rf docs/README.{VMS,WIN32,OS2}
%endif
%endif
%patch2 -p1
%patch3 -p1
%patch54 -p1
%patch58 -p1

6
Mesa.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Thu Nov 14 14:36:08 UTC 2019 - Stefan Dirsch <sndirsch@suse.com>
- u_call-shmget-with-permission-0600-instead-of-0777.patch
* CVE-2019-5068 (bsc#1156015)
-------------------------------------------------------------------
Thu Nov 14 10:15:13 UTC 2019 - Stefan Dirsch <sndirsch@suse.com>

2
Mesa.spec
View File

@ -125,6 +125,7 @@ Source6: %{name}-rpmlintrc
Source7: Mesa.keyring
Patch1: n_opencl_dep_libclang.patch
Patch2: n_add-Mesa-headers-again.patch
Patch3: u_call-shmget-with-permission-0600-instead-of-0777.patch
# never to be upstreamed
Patch54: n_drirc-disable-rgb10-for-chromium-on-amd.patch
Patch58: u_dep_xcb.patch
@ -732,6 +733,7 @@ rm -rf docs/README.{VMS,WIN32,OS2}
%endif
%endif
%patch2 -p1
%patch3 -p1
%patch54 -p1
%patch58 -p1

61
u_call-shmget-with-permission-0600-instead-of-0777.patch Normal file
View File

@ -0,0 +1,61 @@
A security advisory (TALOS-2019-0857/CVE-2019-5068) found that
creating shared memory regions with permission mode 0777 could allow
any user to access that memory. Several Mesa drivers use shared-
memory XImages to implement back buffers for improved performance.
This path changes the shmget() calls to use 0600 (user r/w).
Tested with legacy Xlib driver and llvmpipe.
Cc: <a href="https://lists.freedesktop.org/mailman/listinfo/mesa-dev">mesa-stable at lists.freedesktop.org</a>
---
src/gallium/winsys/sw/dri/dri_sw_winsys.c | 3 ++-
src/gallium/winsys/sw/xlib/xlib_sw_winsys.c | 3 ++-
src/mesa/drivers/x11/xm_buffer.c | 3 ++-
3 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/gallium/winsys/sw/dri/dri_sw_winsys.c b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
index 761f5d1..2e5970b 100644
--- a/src/gallium/winsys/sw/dri/dri_sw_winsys.c
+++ b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
@@ -92,7 +92,8 @@ alloc_shm(struct dri_sw_displaytarget *dri_sw_dt, unsigned size)
{
char *addr;
- dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
+ /* 0600 = user read+write */
+ dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0600);
if (dri_sw_dt->shmid < 0)
return NULL;
diff --git a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
index c14c9de..edebb48 100644
--- a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
+++ b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
@@ -126,7 +126,8 @@ alloc_shm(struct xlib_displaytarget *buf, unsigned size)
shminfo->shmid = -1;
shminfo->shmaddr = (char *) -1;
- shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
+ /* 0600 = user read+write */
+ shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0600);
if (shminfo->shmid < 0) {
return NULL;
}
diff --git a/src/mesa/drivers/x11/xm_buffer.c b/src/mesa/drivers/x11/xm_buffer.c
index d945d8a..0da08a6 100644
--- a/src/mesa/drivers/x11/xm_buffer.c
+++ b/src/mesa/drivers/x11/xm_buffer.c
@@ -89,8 +89,9 @@ alloc_back_shm_ximage(XMesaBuffer b, GLuint width, GLuint height)
return GL_FALSE;
}
+ /* 0600 = user read+write */
b->shminfo.shmid = shmget(IPC_PRIVATE, b->backxrb->ximage->bytes_per_line
- * b->backxrb->ximage->height, IPC_CREAT|0777);
+ * b->backxrb->ximage->height, IPC_CREAT|0600);
if (b->shminfo.shmid < 0) {
_mesa_warning(NULL, "shmget failed while allocating back buffer.\n");
XDestroyImage(b->backxrb->ximage);
--
1.8.5.6