summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorJoe Slater <joe.slater@windriver.com>2022-02-09 15:36:50 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2022-02-12 17:05:35 +0000
commitc5c9fa771d8e5d7f09dee20b4af248622ba2975d (patch)
tree12cba6da753e65abc95e4f4198279a5134edf5c1 /meta
parente56ac9e2290d7640e72551c0445d0f37856b0776 (diff)
downloadpoky-c5c9fa771d8e5d7f09dee20b4af248622ba2975d.tar.gz
virglrenderer: fix CVE-2022-0135 and -0175
CVE-2022-0135 concerns out-of-bounds writes in read_transfer_data(). CVE-2022-0175 concerns using malloc() instead of calloc(). We "cherry-pick" from upstream. The actual cherry-picks are from upstream master to branch-0.9.1 and are the patches entered here. (From OE-Core rev: 91f7511df79c5c1f93add9f2827a5a266453614e) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0135.patch117
-rw-r--r--meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0175.patch107
-rw-r--r--meta/recipes-graphics/virglrenderer/virglrenderer_0.9.1.bb2
3 files changed, 226 insertions, 0 deletions
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0135.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0135.patch
new file mode 100644
index 0000000000..ae42dc8f6c
--- /dev/null
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0135.patch
@@ -0,0 +1,117 @@
1From 63aee871365f9c9e7fa9125672302a0fb250d34d Mon Sep 17 00:00:00 2001
2From: Gert Wollny <gert.wollny@collabora.com>
3Date: Tue, 30 Nov 2021 09:16:24 +0100
4Subject: [PATCH 2/2] vrend: propperly check whether the shader image range is
5 correct
6
7Also add a test to check the integer underflow.
8
9Closes: #251
10Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
11Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
12
13cherry-pick from anongit.freedesktop.org/virglrenderer
14commit 2aed5d4...
15
16CVE: CVE-2022-0135
17Upstream-Status: Backport
18Signed-off-by: Joe Slater <joe.slater@windriver.com>
19
20---
21 src/vrend_decode.c | 3 +-
22 tests/test_fuzzer_formats.c | 57 +++++++++++++++++++++++++++++++++++++
23 2 files changed, 59 insertions(+), 1 deletion(-)
24
25diff --git a/src/vrend_decode.c b/src/vrend_decode.c
26index 91f5f24..6771b10 100644
27--- a/src/vrend_decode.c
28+++ b/src/vrend_decode.c
29@@ -1249,8 +1249,9 @@ static int vrend_decode_set_shader_images(struct vrend_context *ctx, const uint3
30 if (num_images < 1) {
31 return 0;
32 }
33+
34 if (start_slot > PIPE_MAX_SHADER_IMAGES ||
35- start_slot > PIPE_MAX_SHADER_IMAGES - num_images)
36+ start_slot + num_images > PIPE_MAX_SHADER_IMAGES)
37 return EINVAL;
38
39 for (uint32_t i = 0; i < num_images; i++) {
40diff --git a/tests/test_fuzzer_formats.c b/tests/test_fuzzer_formats.c
41index 154a2e5..e32caf0 100644
42--- a/tests/test_fuzzer_formats.c
43+++ b/tests/test_fuzzer_formats.c
44@@ -958,6 +958,61 @@ static void test_vrend_set_signle_abo_heap_overflow() {
45 virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
46 }
47
48+static void test_vrend_set_shader_images_overflow()
49+{
50+ uint32_t num_shaders = PIPE_MAX_SHADER_IMAGES + 1;
51+ uint32_t size = num_shaders * VIRGL_SET_SHADER_IMAGE_ELEMENT_SIZE + 3;
52+ uint32_t cmd[size];
53+ int i = 0;
54+ cmd[i++] = ((size - 1)<< 16) | 0 << 8 | VIRGL_CCMD_SET_SHADER_IMAGES;
55+ cmd[i++] = PIPE_SHADER_FRAGMENT;
56+ memset(&cmd[i], 0, size - i);
57+
58+ virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
59+}
60+
61+/* Test adapted from yaojun8558363@gmail.com:
62+ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250
63+*/
64+static void test_vrend_3d_resource_overflow() {
65+
66+ struct virgl_renderer_resource_create_args resource;
67+ resource.handle = 0x4c474572;
68+ resource.target = PIPE_TEXTURE_2D_ARRAY;
69+ resource.format = VIRGL_FORMAT_Z24X8_UNORM;
70+ resource.nr_samples = 2;
71+ resource.last_level = 0;
72+ resource.array_size = 3;
73+ resource.bind = VIRGL_BIND_SAMPLER_VIEW;
74+ resource.depth = 1;
75+ resource.width = 8;
76+ resource.height = 4;
77+ resource.flags = 0;
78+
79+ virgl_renderer_resource_create(&resource, NULL, 0);
80+ virgl_renderer_ctx_attach_resource(ctx_id, resource.handle);
81+
82+ uint32_t size = 0x400;
83+ uint32_t cmd[size];
84+ int i = 0;
85+ cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE;
86+ cmd[i++] = resource.handle;
87+ cmd[i++] = 0; // level
88+ cmd[i++] = 0; // usage
89+ cmd[i++] = 0; // stride
90+ cmd[i++] = 0; // layer_stride
91+ cmd[i++] = 0; // x
92+ cmd[i++] = 0; // y
93+ cmd[i++] = 0; // z
94+ cmd[i++] = 8; // w
95+ cmd[i++] = 4; // h
96+ cmd[i++] = 3; // d
97+ memset(&cmd[i], 0, size - i);
98+
99+ virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
100+}
101+
102+
103 int main()
104 {
105 initialize_environment();
106@@ -980,6 +1035,8 @@ int main()
107 test_cs_nullpointer_deference();
108 test_vrend_set_signle_abo_heap_overflow();
109
110+ test_vrend_set_shader_images_overflow();
111+ test_vrend_3d_resource_overflow();
112
113 virgl_renderer_context_destroy(ctx_id);
114 virgl_renderer_cleanup(&cookie);
115--
1162.25.1
117
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0175.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0175.patch
new file mode 100644
index 0000000000..7fbab75091
--- /dev/null
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0175.patch
@@ -0,0 +1,107 @@
1From 5ca7aca001092c557f0b6fc1ba3db7dcdab860b7 Mon Sep 17 00:00:00 2001
2From: Gert Wollny <gert.wollny@collabora.com>
3Date: Tue, 30 Nov 2021 09:29:42 +0100
4Subject: [PATCH 1/2] vrend: clear memory when allocating a host-backed memory
5 resource
6
7Closes: #249
8Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
9Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
10
11cherry-pick from anongit.freedesktop.org/virglrenderer
12commit b05bb61...
13
14CVE: CVE-2022-0175
15Upstream-Status: Backport
16Signed-off-by: Joe Slater <joe.slater@windriver.com>
17
18---
19 src/vrend_renderer.c | 2 +-
20 tests/test_virgl_transfer.c | 51 +++++++++++++++++++++++++++++++++++++
21 2 files changed, 52 insertions(+), 1 deletion(-)
22
23diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
24index b8b2a36..2650cf2 100644
25--- a/src/vrend_renderer.c
26+++ b/src/vrend_renderer.c
27@@ -6788,7 +6788,7 @@ vrend_resource_alloc_buffer(struct vrend_resource *gr, uint32_t flags)
28 if (bind == VIRGL_BIND_CUSTOM) {
29 /* use iovec directly when attached */
30 gr->storage_bits |= VREND_STORAGE_HOST_SYSTEM_MEMORY;
31- gr->ptr = malloc(size);
32+ gr->ptr = calloc(1, size);
33 if (!gr->ptr)
34 return -ENOMEM;
35 } else if (bind == VIRGL_BIND_STAGING) {
36diff --git a/tests/test_virgl_transfer.c b/tests/test_virgl_transfer.c
37index bf7f438..3c53c3d 100644
38--- a/tests/test_virgl_transfer.c
39+++ b/tests/test_virgl_transfer.c
40@@ -952,6 +952,56 @@ START_TEST(virgl_test_transfer_near_res_bounds_with_stride_succeeds)
41 }
42 END_TEST
43
44+START_TEST(test_vrend_host_backed_memory_no_data_leak)
45+{
46+ struct iovec iovs[1];
47+ int niovs = 1;
48+
49+ struct virgl_context ctx = {0};
50+
51+ int ret = testvirgl_init_ctx_cmdbuf(&ctx);
52+
53+ struct virgl_renderer_resource_create_args res;
54+ res.handle = 0x400;
55+ res.target = PIPE_BUFFER;
56+ res.format = VIRGL_FORMAT_R8_UNORM;
57+ res.nr_samples = 0;
58+ res.last_level = 0;
59+ res.array_size = 1;
60+ res.bind = VIRGL_BIND_CUSTOM;
61+ res.depth = 1;
62+ res.width = 32;
63+ res.height = 1;
64+ res.flags = 0;
65+
66+ uint32_t size = 32;
67+ uint8_t* data = calloc(1, size);
68+ memset(data, 1, 32);
69+ iovs[0].iov_base = data;
70+ iovs[0].iov_len = size;
71+
72+ struct pipe_box box = {0,0,0, size, 1,1};
73+
74+ virgl_renderer_resource_create(&res, NULL, 0);
75+ virgl_renderer_ctx_attach_resource(ctx.ctx_id, res.handle);
76+
77+ ret = virgl_renderer_transfer_read_iov(res.handle, ctx.ctx_id, 0, 0, 0,
78+ (struct virgl_box *)&box, 0, iovs, niovs);
79+
80+ ck_assert_int_eq(ret, 0);
81+
82+ for (int i = 0; i < 32; ++i)
83+ ck_assert_int_eq(data[i], 0);
84+
85+ virgl_renderer_ctx_detach_resource(1, res.handle);
86+
87+ virgl_renderer_resource_unref(res.handle);
88+ free(data);
89+
90+}
91+END_TEST
92+
93+
94 static Suite *virgl_init_suite(void)
95 {
96 Suite *s;
97@@ -981,6 +1031,7 @@ static Suite *virgl_init_suite(void)
98 tcase_add_test(tc_core, virgl_test_transfer_buffer_bad_strides);
99 tcase_add_test(tc_core, virgl_test_transfer_2d_array_bad_layer_stride);
100 tcase_add_test(tc_core, virgl_test_transfer_2d_bad_level);
101+ tcase_add_test(tc_core, test_vrend_host_backed_memory_no_data_leak);
102
103 tcase_add_loop_test(tc_core, virgl_test_transfer_res_read_valid, 0, PIPE_MAX_TEXTURE_TYPES);
104 tcase_add_loop_test(tc_core, virgl_test_transfer_res_write_valid, 0, PIPE_MAX_TEXTURE_TYPES);
105--
1062.25.1
107
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer_0.9.1.bb b/meta/recipes-graphics/virglrenderer/virglrenderer_0.9.1.bb
index 65bd1af942..c18018759b 100644
--- a/meta/recipes-graphics/virglrenderer/virglrenderer_0.9.1.bb
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer_0.9.1.bb
@@ -12,6 +12,8 @@ DEPENDS = "libdrm virtual/libgl virtual/libgbm libepoxy"
12SRCREV = "363915595e05fb252e70d6514be2f0c0b5ca312b" 12SRCREV = "363915595e05fb252e70d6514be2f0c0b5ca312b"
13SRC_URI = "git://anongit.freedesktop.org/virglrenderer;branch=branch-0.9.1 \ 13SRC_URI = "git://anongit.freedesktop.org/virglrenderer;branch=branch-0.9.1 \
14 file://0001-meson.build-use-python3-directly-for-python.patch \ 14 file://0001-meson.build-use-python3-directly-for-python.patch \
15 file://cve-2022-0135.patch \
16 file://cve-2022-0175.patch \
15 " 17 "
16 18
17S = "${WORKDIR}/git" 19S = "${WORKDIR}/git"