From 573aa2f2416c89ce962e3011093c9be45c4d51d279018b4ce2910264b57fa465 Mon Sep 17 00:00:00 2001
From: Stefan Dirsch <sndirsch@suse.com>
Date: Thu, 14 Nov 2019 14:52:13 +0000
Subject: [PATCH] - u_call-shmget-with-permission-0600-instead-of-0777.patch  
 * CVE-2019-5068 (bsc#1156015)

OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/Mesa?expand=0&rev=900
---
 Mesa-drivers.changes                          |  6 ++
 Mesa-drivers.spec                             |  2 +
 Mesa.changes                                  |  6 ++
 Mesa.spec                                     |  2 +
 ...with-permission-0600-instead-of-0777.patch | 61 +++++++++++++++++++
 5 files changed, 77 insertions(+)
 create mode 100644 u_call-shmget-with-permission-0600-instead-of-0777.patch

diff --git a/Mesa-drivers.changes b/Mesa-drivers.changes
index 5d3ede4..53eb8fb 100644
--- a/Mesa-drivers.changes
+++ b/Mesa-drivers.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Nov 14 14:36:08 UTC 2019 - Stefan Dirsch <sndirsch@suse.com>
+
+- u_call-shmget-with-permission-0600-instead-of-0777.patch
+  * CVE-2019-5068 (bsc#1156015)
+
 -------------------------------------------------------------------
 Thu Nov 14 10:15:13 UTC 2019 - Stefan Dirsch <sndirsch@suse.com>
 
diff --git a/Mesa-drivers.spec b/Mesa-drivers.spec
index 0871679..8f8640f 100644
--- a/Mesa-drivers.spec
+++ b/Mesa-drivers.spec
@@ -126,6 +126,7 @@ Source6:        %{name}-rpmlintrc
 Source7:        Mesa.keyring
 Patch1:         n_opencl_dep_libclang.patch
 Patch2:         n_add-Mesa-headers-again.patch
+Patch3:         u_call-shmget-with-permission-0600-instead-of-0777.patch
 # never to be upstreamed
 Patch54:        n_drirc-disable-rgb10-for-chromium-on-amd.patch
 Patch58:        u_dep_xcb.patch
@@ -733,6 +734,7 @@ rm -rf docs/README.{VMS,WIN32,OS2}
 %endif
 %endif
 %patch2 -p1
+%patch3 -p1
 %patch54 -p1
 %patch58 -p1
 
diff --git a/Mesa.changes b/Mesa.changes
index 5d3ede4..53eb8fb 100644
--- a/Mesa.changes
+++ b/Mesa.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Nov 14 14:36:08 UTC 2019 - Stefan Dirsch <sndirsch@suse.com>
+
+- u_call-shmget-with-permission-0600-instead-of-0777.patch
+  * CVE-2019-5068 (bsc#1156015)
+
 -------------------------------------------------------------------
 Thu Nov 14 10:15:13 UTC 2019 - Stefan Dirsch <sndirsch@suse.com>
 
diff --git a/Mesa.spec b/Mesa.spec
index 310cf51..39a3b3b 100644
--- a/Mesa.spec
+++ b/Mesa.spec
@@ -125,6 +125,7 @@ Source6:        %{name}-rpmlintrc
 Source7:        Mesa.keyring
 Patch1:         n_opencl_dep_libclang.patch
 Patch2:         n_add-Mesa-headers-again.patch
+Patch3:         u_call-shmget-with-permission-0600-instead-of-0777.patch
 # never to be upstreamed
 Patch54:        n_drirc-disable-rgb10-for-chromium-on-amd.patch
 Patch58:        u_dep_xcb.patch
@@ -732,6 +733,7 @@ rm -rf docs/README.{VMS,WIN32,OS2}
 %endif
 %endif
 %patch2 -p1
+%patch3 -p1
 %patch54 -p1
 %patch58 -p1
 
diff --git a/u_call-shmget-with-permission-0600-instead-of-0777.patch b/u_call-shmget-with-permission-0600-instead-of-0777.patch
new file mode 100644
index 0000000..abd141a
--- /dev/null
+++ b/u_call-shmget-with-permission-0600-instead-of-0777.patch
@@ -0,0 +1,61 @@
+A security advisory (TALOS-2019-0857/CVE-2019-5068) found that
+creating shared memory regions with permission mode 0777 could allow
+any user to access that memory.  Several Mesa drivers use shared-
+memory XImages to implement back buffers for improved performance.
+
+This path changes the shmget() calls to use 0600 (user r/w).
+
+Tested with legacy Xlib driver and llvmpipe.
+
+Cc: <a href="https://lists.freedesktop.org/mailman/listinfo/mesa-dev">mesa-stable at lists.freedesktop.org</a>
+---
+ src/gallium/winsys/sw/dri/dri_sw_winsys.c   | 3 ++-
+ src/gallium/winsys/sw/xlib/xlib_sw_winsys.c | 3 ++-
+ src/mesa/drivers/x11/xm_buffer.c            | 3 ++-
+ 3 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/gallium/winsys/sw/dri/dri_sw_winsys.c b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
+index 761f5d1..2e5970b 100644
+--- a/src/gallium/winsys/sw/dri/dri_sw_winsys.c
++++ b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
+@@ -92,7 +92,8 @@ alloc_shm(struct dri_sw_displaytarget *dri_sw_dt, unsigned size)
+ {
+    char *addr;
+ 
+-   dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
++   /* 0600 = user read+write */
++   dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0600);
+    if (dri_sw_dt->shmid < 0)
+       return NULL;
+ 
+diff --git a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
+index c14c9de..edebb48 100644
+--- a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
++++ b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
+@@ -126,7 +126,8 @@ alloc_shm(struct xlib_displaytarget *buf, unsigned size)
+    shminfo->shmid = -1;
+    shminfo->shmaddr = (char *) -1;
+ 
+-   shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
++   /* 0600 = user read+write */
++   shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0600);
+    if (shminfo->shmid < 0) {
+       return NULL;
+    }
+diff --git a/src/mesa/drivers/x11/xm_buffer.c b/src/mesa/drivers/x11/xm_buffer.c
+index d945d8a..0da08a6 100644
+--- a/src/mesa/drivers/x11/xm_buffer.c
++++ b/src/mesa/drivers/x11/xm_buffer.c
+@@ -89,8 +89,9 @@ alloc_back_shm_ximage(XMesaBuffer b, GLuint width, GLuint height)
+       return GL_FALSE;
+    }
+ 
++   /* 0600 = user read+write */
+    b->shminfo.shmid = shmget(IPC_PRIVATE, b->backxrb->ximage->bytes_per_line
+-			     * b->backxrb->ximage->height, IPC_CREAT|0777);
++                            * b->backxrb->ximage->height, IPC_CREAT|0600);
+    if (b->shminfo.shmid < 0) {
+       _mesa_warning(NULL, "shmget failed while allocating back buffer.\n");
+       XDestroyImage(b->backxrb->ximage);
+-- 
+1.8.5.6