After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 727893 - mutter crashes with malicious buffer
mutter crashes with malicious buffer
Status: RESOLVED FIXED
Product: mutter
Classification: Core
Component: wayland
git master
Other Linux
: Normal normal
: ---
Assigned To: mutter-maint
mutter-maint
Depends on:
Blocks:
 
 
Reported: 2014-04-09 13:10 UTC by Marek Chalupa
Modified: 2015-01-10 00:40 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Testing program (5.61 KB, text/plain)
2015-01-09 15:26 UTC, Marek Chalupa 		  Details
Seal buffer when accessing it (1.70 KB, patch)
2015-01-09 15:27 UTC, Marek Chalupa 		none Details | Review
Seal buffer when accessing it (2.17 KB, patch)
2015-01-09 15:33 UTC, Marek Chalupa 		committed Details | Review

Description Marek Chalupa 2014-04-09 13:10:33 UTC 
Hey,

when client creates buffer and then truncates it's size to 0 (and then mutter tries to use it), mutter gets SIGBUS and is killed instead of sending an error to client.
This is one of Weston's testcases (bad-buffer-test.c)
(I ran it using https://github.com/mchalupa/mutter/tree/tests2)

Regards,
Marek Chalupa
Comment 1 Jasper St. Pierre (not reading bugmail) 2014-12-29 06:45:06 UTC 
We should start enforcing buffers being sealed and fix up all clients.
Comment 2 Marek Chalupa 2015-01-09 15:26:52 UTC 
Created attachment 294163 [details]
Testing program

This program creates buffer, truncates it and commit it - this leads to mutter crash.
Comment 3 Marek Chalupa 2015-01-09 15:27:31 UTC 
Created attachment 294164 [details] [review]
Seal buffer when accessing it
Comment 4 Marek Chalupa 2015-01-09 15:33:20 UTC 
Created attachment 294166 [details] [review]
Seal buffer when accessing it
Comment 5 Jasper St. Pierre (not reading bugmail) 2015-01-10 00:40:44 UTC 
Pushed with a few changes. I added shm_buffer tests around the code for the Cogl textures, since they might not be SHM buffers. I also added begin_access / end_access guards around the corresponding code in the cursor management code as well.