On Fri, Nov 1, 2013 at 12:37 AM, Keith Packard <[email protected]> wrote: > Kristian Høgsberg <[email protected]> writes: > >> On Thu, Oct 31, 2013 at 3:43 PM, Keith Packard <[email protected]> wrote: >>> This passes a file descriptor from the client to the server, which is >>> then mmap'd >> >> A problem we recently hit in wayland, which also affects this >> extension is that a client can set up shared memory like this and the >> truncate the tmp file to 0. When the server then tries to access the >> mapped memory it dies with SIGBUS. We're planning on handling this >> case by installing a SIGBUS handler that flags the error, maps >> /dev/zero over the faulting mmap area and then lets the access >> continue. We'll wrap access the the map with call to begin/end access >> functions and in the end_access function we check the flag to see if >> the access cause a fault and kill the client in that case. > > Thanks; I'll have to think about how to handle this in the X server > case.
Just so we're clear, what I'm saying above is that this request can be trivially exploited by any client to crash the X server with SIGBUS. Kristian _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
