Skip to content

wayland/keyboard: Use write() instead of mmapped address to write file

When starting an application on Wayland we store its keymap file in /tmp using mmap() to map the file into virtual memory and strcpy() to write to the file. Now in case /tmp is filled up and the write fails (/tmp is usually mounted as a ramdisk, so that can easily happen), the shell crashes with SIGBUS when trying to call strcpy(). That's because mmap() does not check whether the space is actually available on the filesystem and gives us a chunk of virtual memory anyway even though writing to it is going to fail.

This allows for an easy denial-of-service attack, because /tmp is world-writeable, and as soon as it's filled up and the user tries to open a new application, the shell is going to crash.

To fix this, use write() instead of mmap() and strcpy() to write the string to the file: write() handles out-of-space errors gracefully and just returns an error instead of crashing.

Fixes gnome-shell#1734 (closed)

Edited by Jonas Dreßler

Merge request reports

Loading