https://bugs.kde.org/show_bug.cgi?id=381674
Bug ID: 381674
Summary: wl_keyboard::keymap fd is shared and can be modified
from any client
Product: kwin
Version: git master
Platform: unspecified
OS: All
Status: UNCONFIRMED
Severity: major
Priority: NOR
Component: wayland-generic
Assignee: kwin-bugs-n...@kde.org
Reporter: d138e...@casix.org
Target Milestone: ---
Created attachment 106304
--> https://bugs.kde.org/attachment.cgi?id=106304&action=edit
Minimal example that makes the keymap invalid
The xkb keymap is sent to clients using the wl_keyboard::keymap() event that
includes a file descriptor that should be mmap()ed and then given to
xkb_keymap_new_from_string.
Although there is commonly no reason to do so, the fd can be mmap()ed with
PROT_WRITE and MAP_SHARED flags, so the client can modify it. Since kwin only
uses one global fd that it shares with all clients, changes to the mmap()ed
keymap are visible to other clients until the compositor changes keymap and
thus resets the fd. This means that the keymap can be made invalid or replaced
altogether. As the change is not announced by the compositor, this will only
apply to newly started clients. Qt apps seem to crash at start when the keymap
is invalid.
This is definitely a bug and potentially a security hole because the Wayland
protocol was designed specifically such that clients cannot interfere with each
other.
--
You are receiving this mail because:
You are watching all bug changes.
