server: Add API to protect access to an SHM buffer

Graphics / Wayland / Wayland - Neil Roberts [linux.intel.com] - 13 November 2013 18:31 UTC

Linux will let you mmap a region of a file that is larger than the size of the file. If you then try to read from that region the process will get a SIGBUS signal. Currently the clients can use this to crash a compositor because it can create a pool and lie about the size of the file which will cause the compositor to try and read past the end of it. The compositor can't simply check the size of the file to
verify that it is big enough because then there is a race condition where the client may truncate the file after the check is performed.

This patch adds the following two public functions in the server API which can be used wrap access to an SHM buffer:

void wl_shm_buffer_begin_access(struct wl_shm_buffer *buffer);
void wl_shm_buffer_end_access(struct wl_shm_buffer *buffer);

The first time wl_shm_buffer_begin_access is called a signal handler for SIGBUS will be installed. If the signal is caught then the buffer for the current pool is remapped to an anonymous private buffer at the same address which allows the compositor to continue without crashing. The end_access function will then post an error to the buffer resource.

The current pool is stored as part of some thread-local storage so that multiple threads can safely independently access separate buffers.

Eventually we may want to add some more API so that compositors can hook into the signal handler or replace it entirely if they also want to do some SIGBUS handling.

cf4f599 server: Add API to protect access to an SHM buffer
src/wayland-server.h | 6 +++
src/wayland-shm.c | 131 ++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 137 insertions(+)

Upstream: cgit.freedesktop.org

  • Share