|
|
f4a46c |
From e5e8586a12a3ec915673edffa10dc8fe5e15dac3 Mon Sep 17 00:00:00 2001
|
|
|
f4a46c |
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
|
f4a46c |
Date: Wed, 6 Dec 2023 12:09:41 +0100
|
|
|
f4a46c |
Subject: [PATCH 8/9] glx: Call XACE hooks on the GLX buffer
|
|
|
f4a46c |
|
|
|
f4a46c |
The XSELINUX code will label resources at creation by checking the
|
|
|
f4a46c |
access mode. When the access mode is DixCreateAccess, it will call the
|
|
|
f4a46c |
function to label the new resource SELinuxLabelResource().
|
|
|
f4a46c |
|
|
|
f4a46c |
However, GLX buffers do not go through the XACE hooks when created,
|
|
|
f4a46c |
hence leaving the resource actually unlabeled.
|
|
|
f4a46c |
|
|
|
f4a46c |
When, later, the client tries to create another resource using that
|
|
|
f4a46c |
drawable (like a GC for example), the XSELINUX code would try to use
|
|
|
f4a46c |
the security ID of that object which has never been labeled, get a NULL
|
|
|
f4a46c |
pointer and crash when checking whether the requested permissions are
|
|
|
f4a46c |
granted for subject security ID.
|
|
|
f4a46c |
|
|
|
f4a46c |
To avoid the issue, make sure to call the XACE hooks when creating the
|
|
|
f4a46c |
GLX buffers.
|
|
|
f4a46c |
|
|
|
f4a46c |
Credit goes to Donn Seeley <donn@xmission.com> for providing the patch.
|
|
|
f4a46c |
|
|
|
f4a46c |
CVE-2024-0408
|
|
|
f4a46c |
|
|
|
f4a46c |
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
|
f4a46c |
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
f4a46c |
---
|
|
|
f4a46c |
glx/glxcmds.c | 8 ++++++++
|
|
|
f4a46c |
1 file changed, 8 insertions(+)
|
|
|
f4a46c |
|
|
|
f4a46c |
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
|
|
|
f4a46c |
index fc26a2e34..1e46d0c72 100644
|
|
|
f4a46c |
--- a/glx/glxcmds.c
|
|
|
f4a46c |
+++ b/glx/glxcmds.c
|
|
|
f4a46c |
@@ -48,6 +48,7 @@
|
|
|
f4a46c |
#include "indirect_util.h"
|
|
|
f4a46c |
#include "protocol-versions.h"
|
|
|
f4a46c |
#include "glxvndabi.h"
|
|
|
f4a46c |
+#include "xace.h"
|
|
|
f4a46c |
|
|
|
f4a46c |
static char GLXServerVendorName[] = "SGI";
|
|
|
f4a46c |
|
|
|
f4a46c |
@@ -1392,6 +1393,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId,
|
|
|
f4a46c |
if (!pPixmap)
|
|
|
f4a46c |
return BadAlloc;
|
|
|
f4a46c |
|
|
|
f4a46c |
+ err = XaceHook(XACE_RESOURCE_ACCESS, client, glxDrawableId, RT_PIXMAP,
|
|
|
f4a46c |
+ pPixmap, RT_NONE, NULL, DixCreateAccess);
|
|
|
f4a46c |
+ if (err != Success) {
|
|
|
f4a46c |
+ (*pGlxScreen->pScreen->DestroyPixmap) (pPixmap);
|
|
|
f4a46c |
+ return err;
|
|
|
f4a46c |
+ }
|
|
|
f4a46c |
+
|
|
|
f4a46c |
/* Assign the pixmap the same id as the pbuffer and add it as a
|
|
|
f4a46c |
* resource so it and the DRI2 drawable will be reclaimed when the
|
|
|
f4a46c |
* pbuffer is destroyed. */
|
|
|
f4a46c |
--
|
|
|
f4a46c |
2.43.0
|
|
|
f4a46c |
|