[PATCH 08/10] Add support for MIT-SHM AttachFd request

Kristian Høgsberg krh at bitplanet.net
Fri Nov 1 18:14:21 CET 2013


On Fri, Nov 1, 2013 at 12:37 AM, Keith Packard <keithp at keithp.com> wrote:
> Kristian Høgsberg <krh at bitplanet.net> writes:
>
>> On Thu, Oct 31, 2013 at 3:43 PM, Keith Packard <keithp at keithp.com> wrote:
>>> This passes a file descriptor from the client to the server, which is
>>> then mmap'd
>>
>> A problem we recently hit in wayland, which also affects this
>> extension is that a client can set up shared memory like this and the
>> truncate the tmp file to 0.  When the server then tries to access the
>> mapped memory it dies with SIGBUS.  We're planning on handling this
>> case by installing a SIGBUS handler that flags the error, maps
>> /dev/zero over the faulting mmap area and then lets the access
>> continue.  We'll wrap access the the map with call to begin/end access
>> functions and in the end_access function we check the flag to see if
>> the access cause a fault and kill the client in that case.
>
> Thanks; I'll have to think about how to handle this in the X server
> case.

Just so we're clear, what I'm saying above is that this request can be
trivially exploited by any client to crash the X server with SIGBUS.

Kristian


More information about the xorg-devel mailing list