From f2f0fbdb99076941602f1abf572d65a019d9f6f2 Mon Sep 17 00:00:00 2001
From: Eric Anholt <eric@anholt.net>
Date: Mon, 21 Apr 2014 17:03:07 -0700
Subject: Add a command line argument for disabling indirect GLX.

The attack surface for indirect GLX is huge, and it's of no use to
most people (if you get an indirect GL context, you're better served
by a immediate X error than actually trying to use an indirect GL
context and finding out that it doesn't support doing anything you
want, slowly).  This flag gives you a chance to disable indirect GLX
in environments where you just don't need it.

I put in both the '+' and '-' arguments right now, so that it's easy
to patch the value to change the default policy.

Signed-off-by: Eric Anholt <eric@anholt.net>
Acked-by: Julien Cristau <jcristau@debian.org>
---
 glx/glxcmds.c    | 10 ++++++++++
 include/opaque.h |  1 +
 os/utils.c       |  8 ++++++++
 3 files changed, 19 insertions(+)

diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 187e42665..ded7aca58 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -232,6 +232,16 @@ DoCreateContext(__GLXclientState * cl, GLXContextID gcId,
 
     LEGAL_NEW_RESOURCE(gcId, client);
 
+    /* Only allow creating indirect GLX contexts if allowed by server
+     * command line.  Indirect GLX is of limited use (since it's only
+     * GL 1.4), it's slower than direct contexts, and it's a massive
+     * attack surface for buffer overflow type errors.
+     */
+    if (!enableIndirectGLX && !isDirect) {
+        client->errorValue = isDirect;
+        return BadMatch;
+    }
+
     /*
      ** Find the display list space that we want to share.  
      **
diff --git a/include/opaque.h b/include/opaque.h
index 6b8071c5b..a2c54aa6a 100644
--- a/include/opaque.h
+++ b/include/opaque.h
@@ -56,6 +56,7 @@ extern _X_EXPORT Bool explicit_display;
 extern _X_EXPORT int defaultBackingStore;
 extern _X_EXPORT Bool disableBackingStore;
 extern _X_EXPORT Bool enableBackingStore;
+extern _X_EXPORT Bool enableIndirectGLX;
 extern _X_EXPORT Bool PartialNetwork;
 extern _X_EXPORT Bool RunFromSigStopParent;
 
diff --git a/os/utils.c b/os/utils.c
index 83d85cdda..bc5e7df4d 100644
--- a/os/utils.c
+++ b/os/utils.c
@@ -194,6 +194,8 @@ Bool noGEExtension = FALSE;
 
 Bool CoreDump;
 
+Bool enableIndirectGLX = TRUE;
+
 #ifdef PANORAMIX
 Bool PanoramiXExtensionDisabledHack = FALSE;
 #endif
@@ -538,6 +540,8 @@ UseMsg(void)
     ErrorF("-fn string             default font name\n");
     ErrorF("-fp string             default font path\n");
     ErrorF("-help                  prints message with these options\n");
+    ErrorF("+iglx                  Allow creating indirect GLX contexts (default)\n");
+    ErrorF("-iglx                  Prohibit creating indirect GLX contexts\n");
     ErrorF("-I                     ignore all remaining arguments\n");
 #ifdef RLIMIT_DATA
     ErrorF("-ld int                limit data space to N Kb\n");
@@ -784,6 +788,10 @@ ProcessCommandLine(int argc, char *argv[])
             UseMsg();
             exit(0);
         }
+        else if (strcmp(argv[i], "+iglx") == 0)
+            enableIndirectGLX = TRUE;
+        else if (strcmp(argv[i], "-iglx") == 0)
+            enableIndirectGLX = FALSE;
         else if ((skip = XkbProcessArguments(argc, argv, i)) != 0) {
             if (skip > 0)
                 i += skip - 1;
-- 
cgit v1.2.3