https://bugs.kde.org/show_bug.cgi?id=381674
Bug ID: 381674 Summary: wl_keyboard::keymap fd is shared and can be modified from any client Product: kwin Version: git master Platform: unspecified OS: All Status: UNCONFIRMED Severity: major Priority: NOR Component: wayland-generic Assignee: kwin-bugs-n...@kde.org Reporter: d138e...@casix.org Target Milestone: --- Created attachment 106304 --> https://bugs.kde.org/attachment.cgi?id=106304&action=edit Minimal example that makes the keymap invalid The xkb keymap is sent to clients using the wl_keyboard::keymap() event that includes a file descriptor that should be mmap()ed and then given to xkb_keymap_new_from_string. Although there is commonly no reason to do so, the fd can be mmap()ed with PROT_WRITE and MAP_SHARED flags, so the client can modify it. Since kwin only uses one global fd that it shares with all clients, changes to the mmap()ed keymap are visible to other clients until the compositor changes keymap and thus resets the fd. This means that the keymap can be made invalid or replaced altogether. As the change is not announced by the compositor, this will only apply to newly started clients. Qt apps seem to crash at start when the keymap is invalid. This is definitely a bug and potentially a security hole because the Wayland protocol was designed specifically such that clients cannot interfere with each other. -- You are receiving this mail because: You are watching all bug changes.