After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 784206 - wl_keyboard::keymap fd is shared and can be modified from any client
wl_keyboard::keymap fd is shared and can be modified from any client
Status: RESOLVED FIXED
Product: mutter
Classification: Core
Component: wayland
git master
Other All
: Normal major
: ---
Assigned To: mutter-maint
mutter-maint
Depends on:
Blocks:
 
 
Reported: 2017-06-26 10:12 UTC by 28872d13
Modified: 2018-10-02 09:35 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Minimal example that makes the keymap invalid (1.32 KB, text/x-csrc)
2017-06-26 10:12 UTC, 28872d13 		  Details
Minimal example that makes the keymap invalid (1.33 KB, text/x-csrc)
2017-06-26 12:50 UTC, 28872d13 		  Details
wayland/keyboard: Don't send writable keymap fd to clients (5.67 KB, patch)
2017-06-26 14:29 UTC, Jonas Ådahl 		rejected Details | Review
wayland/keyboard: Create a separate keymap shm file per resource (8.10 KB, patch)
2017-06-29 04:34 UTC, Jonas Ådahl 		committed Details | Review

Description 28872d13 2017-06-26 10:12:56 UTC 
Created attachment 354498 [details]
Minimal example that makes the keymap invalid

I've had some issues on mutter/Wayland with clients randomly reverting to US-English layout with xkb keymap parse errors. I think that this is the root cause.

The xkb keymap is sent to clients using the wl_keyboard::keymap() event that includes a file descriptor that should be mmap()ed and then given to xkb_keymap_new_from_string.

Although there is commonly no reason to do so, the fd can be mmap()ed with PROT_WRITE and MAP_SHARED flags, so the client can modify it. Since mutter only uses one global fd that it shares with all clients, changes to the mmap()ed keymap are visible to other clients until the compositor changes keymap and thus resets the fd. This means that the keymap can be made invalid or replaced altogether. As the change is not announced by the compositor, this will only apply to newly started clients. Qt apps seem to crash at start when the keymap is invalid.

This is definitely a bug and potentially a security hole because the Wayland protocol was designed specifically such that clients cannot interfere with each other.

See https://bugs.freedesktop.org/show_bug.cgi?id=101595 for weston bug
Comment 1 28872d13 2017-06-26 12:50:39 UTC 
Created attachment 354502 [details]
Minimal example that makes the keymap invalid

Uploaded wrong version of the test program, sorry
Comment 2 Jonas Ådahl 2017-06-26 14:29:50 UTC 
Created attachment 354507 [details] [review]
wayland/keyboard: Don't send writable keymap fd to clients

Don't send a writable keymap fd to clients, as they would be able to
alter the memory of the keymap server side, causing memory corruption.
As the same piece of memory was sent to each client, this would
effectively let an abusive client have indirect write access to the
mmap:ed keymap memory of another client.

For now, solve this by re-opening the temporary file read-only before
unlinking, and instead send the read-only file descriptor to the
clients.

This will cause non-abusive clients who by mistake mmap:ed the keymap fd
with PROT_WRITE to fail reading the keymap data.
Comment 3 Daniel Stone 2017-06-27 12:12:35 UTC 
I really dislike that this involves leaving named temporary files around longer, but don't see any way around this. We can't use memfd + write seal (which would otherwise be perfect) for this, because memfd precludes MAP_SHARED mappings, so this would break every client out there.
Comment 4 Jonas Ådahl 2017-06-27 15:27:35 UTC 
(In reply to Daniel Stone from comment #3)
> I really dislike that this involves leaving named temporary files around
> longer, but don't see any way around this. We can't use memfd + write seal
> (which would otherwise be perfect) for this, because memfd precludes
> MAP_SHARED mappings, so this would break every client out there.

I could open the read-only fd and unlink earlier than in the patch, but will it make much difference?
Comment 5 Jonas Ådahl 2017-06-29 04:33:13 UTC 
Review of attachment 354507 [details] [review]:

Doing this is not enough, since a client can chmod and reopen the fd any way it wants via /proc/<pid>/<fd>, even from within flatpak.
Comment 6 Jonas Ådahl 2017-06-29 04:34:01 UTC 
Created attachment 354669 [details] [review]
wayland/keyboard: Create a separate keymap shm file per resource

By using the shm file when sending the keymap to all clients, we
effectively allows any client to change the keymap, as any client has
the ability to change the content of the file. Sending a read-only file
descriptor, or making the file itself read-only before unlinking, can
be worked around by the client by using chmod(2) and open(2) on
/proc/<pid>/<fd>.

Using memfd could potentially solve this issue, but as the usage of
mmap with MAP_SHARED is wide spread among clients, such a change can
not be introduced without causing wide spread compatibility issues.

So, to avoid allowing clients to interfere with each other, create a
separate shm file for each wl_keyboard resource when sending the
keymap. We could eventually do this per client, but in most cases,
there will only be one wl_keyboard resource per client anyway.
Comment 7 Rui Matos 2017-07-07 10:27:49 UTC 
Review of attachment 354669 [details] [review]:

looks good
Comment 8 Jonas Ådahl 2018-08-17 14:08:59 UTC 
The idea is to land this now-ish, and I'll put it on both master and gnome-3-28. Whether it is worthy a release or not I'm not sure.
Comment 9 Daniel Stone 2018-08-17 14:32:35 UTC 
Flatpak probably means it is worth a release?
Comment 10 Jonas Ådahl 2018-08-17 14:36:58 UTC 
Attachment 354669 [details] pushed as 21ce6f9 - wayland/keyboard: Create a separate keymap shm file per resource
Comment 11 Jonas Ådahl 2018-08-17 14:44:45 UTC 
On gnome-3-28 as well now.