Summary: | Xorg crashes in SecurityResource() when client that created resource has exited | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | xorg | Reporter: | Alan Coopersmith <alan.coopersmith> | ||||||
Component: | Server/General | Assignee: | Xorg Project Team <xorg-team> | ||||||
Status: | RESOLVED FIXED | QA Contact: | Xorg Project Team <xorg-team> | ||||||
Severity: | normal | ||||||||
Priority: | medium | CC: | brian.cameron, ewalsh | ||||||
Version: | git | ||||||||
Hardware: | Other | ||||||||
OS: | All | ||||||||
Whiteboard: | |||||||||
i915 platform: | i915 features: | ||||||||
Attachments: |
|
Description
Alan Coopersmith
2010-01-05 16:48:16 UTC
Created attachment 32466 [details] [review] patch to Xext/security.c from Xorg 1.7.3 This patch stops the crashes by failing any attempt to access the resources of an exited client - which is probably not the right solution, and doesn't solve the problem of checking the wrong client's private when a new client connects and gets the same id. I'm not sure what needs to happen to resources like cursors left behind by exited clients to get the right security state. I think the solution to this is to copy the trustLevel information into the object's own devPrivates. This is only possible when the resource object has a devPrivates field, so it is not a complete solution. However the Cursor object does have one, and I have not seen any similar crashes with the SELinux extension which uses the same method. Here is a patch that does this. An alternative solution would be to not use devPrivates at all. Instead, a static array would hold the trustLevel for each client. About the issue of a new client connecting and getting the same base ID: isn't this a problem to begin with, because the new client would end up owning the old resource? Created attachment 32476 [details] [review] alternate patch to Xext/security.c Patch that stores the trustLevel information in the resource object itself when possible. This will allow security checks to be made after the client structure has gone away (at least on resource objects that have a devPrivates field). What is the status of this bug now? Is the patch committed? > What is the status of this bug now? Is the patch committed? A version of the simple crash prevention patch was committed for Xorg 1.9: http://cgit.freedesktop.org/xorg/xserver/commit/?id=1c08a37e0eb4746e8974eb7a70ca4b7b84712963 Leaving the bug open to consider Eamon's better fix. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.