1 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch
new file mode 100644
index 0000000000..4a277bd4d0
--- /dev/null
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch
@@ -0,0 +1,100 @@
+From 95e581fd181b213c2ed7cdc63f2abc03eaaa77ec Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny@collabora.com>
+Date: Tue, 30 Nov 2021 10:17:26 +0100
+Subject: [PATCH] vrend: Add test to resource OOB write and fix it
+v2: Also check that no depth != 1 has been send when none is due
+Closes: #250
+Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
+Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
+https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec
+Upstream-Status: Backport
+CVE: CVE-2022-0135
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ src/vrend_renderer.c        |  3 +++
+ tests/test_fuzzer_formats.c | 43 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 46 insertions(+)
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
+index 28f669727..357b81b20 100644
+--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
+@@ -7833,8 +7833,11 @@ static int vrend_renderer_transfer_write_iov(struct vrend_context *ctx,
+                                           info->box->height) * elsize;
+       if (res->target == GL_TEXTURE_3D ||
+           res->target == GL_TEXTURE_2D_ARRAY ||
+          res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY ||
+           res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
+           send_size *= info->box->depth;
+      else if (need_temp && info->box->depth != 1)
+         return EINVAL;
+ 
+       if (need_temp) {
+          data = malloc(send_size);
+diff --git a/tests/test_fuzzer_formats.c b/tests/test_fuzzer_formats.c
+index 59d6fb671..2de9a9a3f 100644
+--- a/tests/test_fuzzer_formats.c
+++ b/tests/test_fuzzer_formats.c
+@@ -957,6 +957,48 @@ static void test_vrend_set_signle_abo_heap_overflow() {
+     virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
+ }
+ 
+/* Test adapted from yaojun8558363@gmail.com:
+ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250
+*/
+static void test_vrend_3d_resource_overflow() {
+
+    struct virgl_renderer_resource_create_args resource;
+    resource.handle = 0x4c474572;
+    resource.target = PIPE_TEXTURE_2D_ARRAY;
+    resource.format = VIRGL_FORMAT_Z24X8_UNORM;
+    resource.nr_samples = 2;
+    resource.last_level = 0;
+    resource.array_size = 3;
+    resource.bind = VIRGL_BIND_SAMPLER_VIEW;
+    resource.depth = 1;
+    resource.width = 8;
+    resource.height = 4;
+    resource.flags = 0;
+
+    virgl_renderer_resource_create(&resource, NULL, 0);
+    virgl_renderer_ctx_attach_resource(ctx_id, resource.handle);
+
+    uint32_t size = 0x400;
+    uint32_t cmd[size];
+    int i = 0;
+    cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE;
+    cmd[i++] = resource.handle;
+    cmd[i++] = 0; // level
+    cmd[i++] = 0; // usage
+    cmd[i++] = 0; // stride
+    cmd[i++] = 0; // layer_stride
+    cmd[i++] = 0; // x
+    cmd[i++] = 0; // y
+    cmd[i++] = 0; // z
+    cmd[i++] = 8; // w
+    cmd[i++] = 4; // h
+    cmd[i++] = 3; // d
+    memset(&cmd[i], 0, size - i);
+
+    virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
+}
+
+
+ int main()
+ {
+    initialize_environment();
+@@ -979,6 +1021,7 @@ int main()
+    test_cs_nullpointer_deference();
+    test_vrend_set_signle_abo_heap_overflow();
+ 
+   test_vrend_3d_resource_overflow();
+ 
+    virgl_renderer_context_destroy(ctx_id);
+    virgl_renderer_cleanup(&cookie);
+-- 
+GitLab

diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch new file mode 100644 index 0000000000..4a277bd4d0 --- /dev/null +++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch
@@ -0,0 +1,100 @@
	1	From 95e581fd181b213c2ed7cdc63f2abc03eaaa77ec Mon Sep 17 00:00:00 2001
	2	From: Gert Wollny <gert.wollny@collabora.com>
	3	Date: Tue, 30 Nov 2021 10:17:26 +0100
	4	Subject: [PATCH] vrend: Add test to resource OOB write and fix it
	5
	6	v2: Also check that no depth != 1 has been send when none is due
	7
	8	Closes: #250
	9	Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
	10	Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
	11
	12	https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec
	13	Upstream-Status: Backport
	14	CVE: CVE-2022-0135
	15	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	16	---
	17	src/vrend_renderer.c \| 3 +++
	18	tests/test_fuzzer_formats.c \| 43 +++++++++++++++++++++++++++++++++++++
	19	2 files changed, 46 insertions(+)
	20
	21	diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
	22	index 28f669727..357b81b20 100644
	23	--- a/src/vrend_renderer.c
	24	+++ b/src/vrend_renderer.c
	25	@@ -7833,8 +7833,11 @@ static int vrend_renderer_transfer_write_iov(struct vrend_context *ctx,
	26	info->box->height) * elsize;
	27	if (res->target == GL_TEXTURE_3D \|\|
	28	res->target == GL_TEXTURE_2D_ARRAY \|\|
	29	+ res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY \|\|
	30	res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
	31	send_size *= info->box->depth;
	32	+ else if (need_temp && info->box->depth != 1)
	33	+ return EINVAL;
	34
	35	if (need_temp) {
	36	data = malloc(send_size);
	37	diff --git a/tests/test_fuzzer_formats.c b/tests/test_fuzzer_formats.c
	38	index 59d6fb671..2de9a9a3f 100644
	39	--- a/tests/test_fuzzer_formats.c
	40	+++ b/tests/test_fuzzer_formats.c
	41	@@ -957,6 +957,48 @@ static void test_vrend_set_signle_abo_heap_overflow() {
	42	virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
	43	}
	44
	45	+/* Test adapted from yaojun8558363@gmail.com:
	46	+ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250
	47	+*/
	48	+static void test_vrend_3d_resource_overflow() {
	49	+
	50	+ struct virgl_renderer_resource_create_args resource;
	51	+ resource.handle = 0x4c474572;
	52	+ resource.target = PIPE_TEXTURE_2D_ARRAY;
	53	+ resource.format = VIRGL_FORMAT_Z24X8_UNORM;
	54	+ resource.nr_samples = 2;
	55	+ resource.last_level = 0;
	56	+ resource.array_size = 3;
	57	+ resource.bind = VIRGL_BIND_SAMPLER_VIEW;
	58	+ resource.depth = 1;
	59	+ resource.width = 8;
	60	+ resource.height = 4;
	61	+ resource.flags = 0;
	62	+
	63	+ virgl_renderer_resource_create(&resource, NULL, 0);
	64	+ virgl_renderer_ctx_attach_resource(ctx_id, resource.handle);
	65	+
	66	+ uint32_t size = 0x400;
	67	+ uint32_t cmd[size];
	68	+ int i = 0;
	69	+ cmd[i++] = (size - 1) << 16 \| 0 << 8 \| VIRGL_CCMD_RESOURCE_INLINE_WRITE;
	70	+ cmd[i++] = resource.handle;
	71	+ cmd[i++] = 0; // level
	72	+ cmd[i++] = 0; // usage
	73	+ cmd[i++] = 0; // stride
	74	+ cmd[i++] = 0; // layer_stride
	75	+ cmd[i++] = 0; // x
	76	+ cmd[i++] = 0; // y
	77	+ cmd[i++] = 0; // z
	78	+ cmd[i++] = 8; // w
	79	+ cmd[i++] = 4; // h
	80	+ cmd[i++] = 3; // d
	81	+ memset(&cmd[i], 0, size - i);
	82	+
	83	+ virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
	84	+}
	85	+
	86	+
	87	int main()
	88	{
	89	initialize_environment();
	90	@@ -979,6 +1021,7 @@ int main()
	91	test_cs_nullpointer_deference();
	92	test_vrend_set_signle_abo_heap_overflow();
	93
	94	+ test_vrend_3d_resource_overflow();
	95
	96	virgl_renderer_context_destroy(ctx_id);
	97	virgl_renderer_cleanup(&cookie);
	98	--
	99	GitLab
	100