Tried, Tested and Proven

Security Advisory 12-004 – Qt Project Security Advisory

Vulnerability Title:

Qt System V shared memory segments created with insecure permissions.

Vulnerable System:

Qt Framework

Vulnerability discovery and development:

Portcullis Security Testing Services.

Credit for Discovery:

Tim Brown and Mark Lowe – Portcullis Computer Security Ltd.

Affected systems:

All known versions of Qt Framework for systems implementing System V shared memory; the vulnerability discovered was for version 4.8.x however 5.0.0 was also affected.


Qt applications such as those shipped with the KDE Software Compendium have been found to create System V shared memory segments with insecure permissions:

$ ipcs -a | grep 1474595
0x00000000 1474595    user        777        1024       2          dest
$ ipcs -p | grep 1474595
1474595    user        6120       6155
$ ps -aef | grep 6120
user       6120     1  0 Nov28 ?        00:02:49 /usr/bin/plasma-desktop

Initially, it was believed that the vulnerable code was part of the KDE Software Compendium however by running KDE applications under a debugger as follows:

Breakpoint 2, shmget () at ../sysdeps/unix/syscall-template.S:82
82 in ../sysdeps/unix/syscall-template.S
(gdb) bt
#0 shmget () at ../sysdeps/unix/syscall-template.S:82
#1 0x00007ffff613ac41 in ?? () from /usr/lib/x86_64-linux-gnu/
#2 0x00007ffff6252b9f in QRasterWindowSurface::prepareBuffer(QImage::Format, 
QWidget*) () from /usr/lib/x86_64-linux-gnu/
#3 0x00007ffff6252e07 in QRasterWindowSurface::setGeometry(QRect const&) () from 

It was possible to determine that the culprit was in fact Qt. Specifically, whilst it is obscured in this backtrace, the code path includes calls to QNativeImage(width, height, format, false, widget) which make use of the following code:

xshminfo.shmid = shmget(IPC_PRIVATE, xshmimg->bytes_per_line * xshmimg->height, IPC_CREAT | 0777);

Here, shmget() is called to implement Qt’s X11 protocol support for a shared buffer between the X server and the client. This method of IPC between X clients and servers allows for increased performance when rendering large pixmaps. As you can see, in this case, shmget() is called with permissions of 0777 which effectively maps to “rwx” in each of the user, group and other permission contexts. Since the X server is typically running as root, it is believed there should be no need for client applications which run with less privileges to create shared memory with these weakened permissions.

Whilst performing root cause analysis of the issue above, it was determined that the QSharedMemory and QSystemSemaphore classes also created shared memory segments (using shmget()) and semaphores (using semget()) with insecure permissions. An example of the affected code where QSharedMemory can be seen below:

s = new QSharedMemory("test");
s->create(65535, QSharedMemory::ReadOnly);

Executing this code was found to result in the following shared memory segment being created:

$ ipcs -a
0x51001223 3047473    user        666        65535      0

Insecure permissions can be used by an attacker to tamper with previously created System V shared memory segments or to read their contents. In the context of the Qt Framework, it was determined that weak permissions on the created segments may allow for the disclosure or corruption of pixmaps (GUI artifacts) being transmitted to the X server. Whilst in principal this could allow more interesting memory corruption attacks to be performed, no such attacks have yet been found within the context of the Qt Framework.

With respect to the QSharedMemory classes, individual applications may be vulnerable to memory disclosure or corruption attacks dependent on the context in which the created instances of these classes are used. Likewise, QSystemSemaphore instance’s states may be manipulated to affect the availability of the calling application, again depending on the context of use.


The proof of concept exploit code is available.

Vendor status:

29/11/2012 – vendor informed
03/12/2012 – issue disclosed to the Qt Security Team
20/12/2012 – patch created
15-25/01/2013 – patch applied to codelines
03/01/2013 – CVE-2013-0254 assigned by Red Hat Security Response Team
04/02/2013 – advisory released


Copyright © Portcullis Computer Security Limited 2013, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information.
It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.


The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.