[PATCH] Add a command line argument for disabling indirect GLX.

Wed Apr 23 09:52:17 PDT 2014

The attack surface for indirect GLX is huge, and it's of no use to
most people (if you get an indirect GL context, you're better served
by a immediate X error than actually trying to use an indirect GL
context and finding out that it doesn't support doing anything you
want, slowly).  This flag gives you a chance to disable indirect GLX
in environments where you just don't need it.

I put in both the '+' and '-' arguments right now, so that it's easy
to patch the value to change the default policy.

Signed-off-by: Eric Anholt <eric at anholt.net>
Acked-by: Julien Cristau <jcristau at debian.org>
---

I totally agreed with all the feedback.

 glx/glxcmds.c    | 11 +++++++++++
 include/opaque.h |  1 +
 os/utils.c       |  8 ++++++++
 3 files changed, 20 insertions(+)

diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 187e426..67a0618 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -275,6 +275,17 @@ DoCreateContext(__GLXclientState * cl, GLXContextID gcId,
      ** Allocate memory for the new context
      */
     if (!isDirect) {
+        /* Only allow creating indirect GLX contexts if allowed by
+         * server command line.  Indirect GLX is of limited use (since
+         * it's only GL 1.4), it's slower than direct contexts, and
+         * it's a massive attack surface for buffer overflow type
+         * errors.
+         */
+        if (!enableIndirectGLX) {
+            client->errorValue = isDirect;
+            return BadValue;
+        }
+
         /* Without any attributes, the only error that the driver should be
          * able to generate is BadAlloc.  As result, just drop the error
          * returned from the driver on the floor.
diff --git a/include/opaque.h b/include/opaque.h
index 6b8071c..a2c54aa 100644
--- a/include/opaque.h
+++ b/include/opaque.h
@@ -56,6 +56,7 @@ extern _X_EXPORT Bool explicit_display;
 extern _X_EXPORT int defaultBackingStore;
 extern _X_EXPORT Bool disableBackingStore;
 extern _X_EXPORT Bool enableBackingStore;
+extern _X_EXPORT Bool enableIndirectGLX;
 extern _X_EXPORT Bool PartialNetwork;
 extern _X_EXPORT Bool RunFromSigStopParent;
 
diff --git a/os/utils.c b/os/utils.c
index 83d85cd..bc5e7df 100644
--- a/os/utils.c
+++ b/os/utils.c
@@ -194,6 +194,8 @@ Bool noGEExtension = FALSE;
 
 Bool CoreDump;
 
+Bool enableIndirectGLX = TRUE;
+
 #ifdef PANORAMIX
 Bool PanoramiXExtensionDisabledHack = FALSE;
 #endif
@@ -538,6 +540,8 @@ UseMsg(void)
     ErrorF("-fn string             default font name\n");
     ErrorF("-fp string             default font path\n");
     ErrorF("-help                  prints message with these options\n");
+    ErrorF("+iglx                  Allow creating indirect GLX contexts (default)\n");
+    ErrorF("-iglx                  Prohibit creating indirect GLX contexts\n");
     ErrorF("-I                     ignore all remaining arguments\n");
 #ifdef RLIMIT_DATA
     ErrorF("-ld int                limit data space to N Kb\n");
@@ -784,6 +788,10 @@ ProcessCommandLine(int argc, char *argv[])
             UseMsg();
             exit(0);
         }
+        else if (strcmp(argv[i], "+iglx") == 0)
+            enableIndirectGLX = TRUE;
+        else if (strcmp(argv[i], "-iglx") == 0)
+            enableIndirectGLX = FALSE;
         else if ((skip = XkbProcessArguments(argc, argv, i)) != 0) {
             if (skip > 0)
                 i += skip - 1;
-- 
1.9.2

