-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
shm::RawPool
is not safe if used with screencopy
#320
Comments
I guess we could make RawPool's slice methods to be unsafe. This would mean io::Read and io::Write would need to go of course. I'd probably avoid trying to insert slot based access checking in RawPool. We have SlotPool for that |
Note that if we wanted to be completely strict with safety, we could not allow access via safe The same is true on the compositor side; while the protocol does forbid clients from modifying a buffer that is attached (prior to the release event), the compositor has even less reason to trust clients, and so likely should not expose the shm area as a Exposing all shared memory as |
Yep. On the compositor side, I tried to improve this a bit with Smithay/smithay#851. Though further auditing of the code dealing with shm mappings is welcome. The compositor should attempt to be secure against malicious clients. On the client side, it is mostly reasonable, if not ideal, for the client to trust the compositor it is connected to. Not being able to use normal slices isn't really a viable option for providing an ergonomic and performant API for something like Softbuffer. What we might be able to do, though, is get better security with platform specific mechanisms.
That sounds viable here, as long as the client only needs a single mapping and not a writable fd. And you never want the buffer to be written to by the server (so not for screencopy). FreeBSD doesn't seem to have that option, but there is https://man.freebsd.org/cgi/man.cgi?cap_rights_limit. From the man page, it's unclear to me if that only works for a process in "capability mode" or if it's a separate feature often used together with that. |
Note that using |
Yeah, true. I forgot about that part. I think that's why I haven't tried to use it. I'm not aware of any Linux API that would allow the client to resize the shm buffer, while not allowing the server to read from it. Though it seems like something that should exist. |
There is a proposal upstream which would actually remove resizing in a future version of the protocol: https://gitlab.freedesktop.org/wayland/wayland/-/merge_requests/161 |
I guess (at least on Linux) a client could just allocate a memfd much larger than it needs, and never resize the pool. I'm not sure there's any harm in doing that. I believe it won't actually allocate that much physical memory, and will just map in a zeroed page for reads, and than trap on writes and map in new pages as needed. |
I expect if that protocol change was merged, we would need to have the pool re-submit the memfd and create a new shm object to implement resize. That would only cause problems if applications held on to the pool object, which is not likely. |
shm::RawPool
allows reading and writing memory in the pool, or accessing it as a slice, while that memory is part of awl_buffer::WlBuffer
.This doesn't produce any soundness issues (on the client side) when the buffer is attached to a surface, but with screencopy the server rights to the buffer. And generated bindings for a protocol like that also don't mark methods as
unsafe
, so this allows UB with safe code.Potentially this could also cause soundness issues on the compositor side (with screencopy or attaching to a surface). Which is difficult to deal with since it should handle broken or malicious clients....
The API should probably either make certain things
unsafe
or ensure it's impossible to construct a slice from memory that is part of awl_buffer
.The text was updated successfully, but these errors were encountered: