https://bugs.freedesktop.org/show_bug.cgi?id=101595
Bug ID: 101595
Summary: wl_keyboard::keymap fd is shared and can be modified
from any client
Product: Wayland
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: medium
Component: weston
Assignee: [email protected]
Reporter: [email protected]
Created attachment 132248
--> https://bugs.freedesktop.org/attachment.cgi?id=132248&action=edit
Minimal example that makes the keymap invalid
The xkb keymap is sent to clients using the wl_keyboard::keymap() event that
includes a file descriptor that should be mmap()ed and then given to
xkb_keymap_new_from_string.
Although there is commonly no reason to do so, the fd can be mmap()ed with
PROT_WRITE and MAP_SHARED flags, so the client can modify it. Since weston only
uses one global fd that it shares with all clients, changes to the mmap()ed
keymap are visible to other clients until the compositor changes keymap and
thus resets the fd. This means that the keymap can be made invalid or replaced
altogether. As the change is not announced by the compositor, this will only
apply to newly started clients. Qt apps seem to crash at start when the keymap
is invalid.
This is definitely a bug and potentially a security hole because the Wayland
protocol was designed specifically such that clients cannot interfere with each
other.
As a result of discussing this in IRC, the possibilities here seem to be:
* Reopen the file descriptor read-only before handing it out to clients. For
this to work, the unlink() call on the temporary file will have to be delayed
until after the reopen.
* Use memfd_create() and seal the file descriptor. This requires Linux >= 3.17.
memfd is generally desirable because it eliminates the race where other
applications can grab the temporary file before it is unlinked.
--
You are receiving this mail because:
You are the assignee for the bug._______________________________________________
wayland-bugs mailing list
[email protected]
https://lists.freedesktop.org/mailman/listinfo/wayland-bugs
