oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: xscreensaver package caps gets raw socket

From: Solar Designer <solar () openwall com>
Date: Sun, 18 Apr 2021 14:51:52 +0200
On Sat, Apr 17, 2021 at 09:51:38PM -0300, Érico Nogueira wrote:

Em 17/04/2021 11:31, Tavis Ormandy escreveu:

Summary of discussion so far:

- In theory, mesa support running in a privileged context, their
  documentation says they disable dangerous features in setuid/setgid
  binaries:

    https://mesa-docs.readthedocs.io/en/latest/egl.html

  In fact, this is broken because they only check if (geteuid() !=
  getuid()) { ... }. That check doesn't even handle setgid, let alone file
  caps. If mesa agree this is a bug, simply changing their checks to if
  (getauxval(AT_SECURE)) { ... } might make this bug go away, and handle
  file caps and setgid for free. I filed a bug for that, but there
  hasn't been a response:
  https://gitlab.freedesktop.org/mesa/mesa/-/issues/4549


The linked issue appears to be private... Not sure it makes sense, since 
the problem has been explained in this public email. FWIW, libglvnd has 
the same issue, though it at leasts (E)GID as well. Sending it here 
because I couldn't find a security contact.

https://github.com/NVIDIA/libglvnd/blob/acc654454867c7cdd681cc1f60f858bcd6e5e729/src/EGL/libeglvendor.c

    if (getuid() == geteuid() && getgid() == getegid()) {
        env = getenv("__EGL_VENDOR_LIBRARY_FILENAMES");
    }

I will look into opening an issue with them and finding a fix.


Related:

https://www.openwall.com/lists/oss-security/2019/12/04/6

"search for LIBGL_DRIVERS_PATH finds that Mesa appears to have the same
issue, and it also finds that we should also search for GBM_DRIVERS_PATH
(apparently, for older Mesa) and maybe EGL_DRIVERS_PATH and EGL_DRIVER,
and LIBVA_DRIVERS_PATH and LIBVA_DRIVER_NAME.  There are probably more."


Using `secure_getenv` in some of these cases would probably work as well 
as checking `getauxval(AT_SECURE)`, especially because it seems (from my 
quick search over at <https://man.bsd.lv>) that both are Linux specific 
anyway.

It would be nice to define a `is_privileged_context()` function that 
works on most platforms to be shared across projects or used as a 
library.


Historically, that's __libc_enable_secure on glibc (although if
secure_getenv() does what's needed in a given context, then you don't
need to use __libc_enable_secure directly) and issetugid(2) on OpenBSD.

Alexander
Previous By Date Next
Previous By Thread Next

Current thread: