4 files changed, 159 insertions, 0 deletions
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18390.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18390.patch
new file mode 100644
index 0000000000..ad61c95be3
--- /dev/null
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18390.patch
@@ -0,0 +1,66 @@
+From 24f67de7a9088a873844a39be03cee6882260ac9 Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny@collabora.com>
+Date: Mon, 7 Oct 2019 10:59:56 +0200
+Subject: [PATCH] vrend: check info formats in blits
+Closes #141
+Closes #142
+v2 : drop colon in error description (Emil)
+Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
+Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
+Upstream-Status: Backport 
+[https://gitlab.freedesktop.org/virgl/virglrenderer/commit/24f67de7a9088a873844a39be03cee6882260ac9]
+CVE: CVE-2019-18390
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ src/virgl_hw.h       |  1 +
+ src/vrend_renderer.c | 11 +++++++++++
+ 2 files changed, 12 insertions(+)
+diff --git a/src/virgl_hw.h b/src/virgl_hw.h
+index 145780bf..5ccf3073 100644
+--- a/src/virgl_hw.h
+++ b/src/virgl_hw.h
+@@ -426,6 +426,7 @@ enum virgl_ctx_errors {
+         VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER,
+         VIRGL_ERROR_CTX_GLES_HAVE_TES_BUT_MISS_TCS,
+         VIRGL_ERROR_GL_ANY_SAMPLES_PASSED,
+        VIRGL_ERROR_CTX_ILLEGAL_FORMAT,
+ };
+ 
+ #define VIRGL_RESOURCE_Y_0_TOP (1 << 0)
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
+index 14fefb38..aa6a89c1 100644
+--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
+@@ -758,6 +758,7 @@ static const char *vrend_ctx_error_strings[] = {
+    [VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER]    = "Illegal command buffer",
+    [VIRGL_ERROR_CTX_GLES_HAVE_TES_BUT_MISS_TCS] = "On GLES context and shader program has tesselation evaluation shader but no tesselation control shader",
+    [VIRGL_ERROR_GL_ANY_SAMPLES_PASSED] = "Query for ANY_SAMPLES_PASSED not supported",
+   [VIRGL_ERROR_CTX_ILLEGAL_FORMAT]        = "Illegal format ID",
+ };
+ 
+ static void __report_context_error(const char *fname, struct vrend_context *ctx,
+@@ -8492,6 +8493,16 @@ void vrend_renderer_blit(struct vrend_context *ctx,
+    if (ctx->in_error)
+       return;
+ 
+   if (!info->src.format || (enum virgl_formats)info->src.format >= VIRGL_FORMAT_MAX) {
+      report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_FORMAT, info->src.format);
+      return;
+   }
+
+   if (!info->dst.format || (enum virgl_formats)info->dst.format >= VIRGL_FORMAT_MAX) {
+      report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_FORMAT, info->dst.format);
+      return;
+   }
+
+    if (info->render_condition_enable == false)
+       vrend_pause_render_condition(ctx, true);
+ 
+-- 
+2.24.1
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18391.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18391.patch
new file mode 100644
index 0000000000..cc641d8293
--- /dev/null
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18391.patch
@@ -0,0 +1,51 @@
+From 2abeb1802e3c005b17a7123e382171b3fb665971 Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny@collabora.com>
+Date: Tue, 8 Oct 2019 17:27:01 +0200
+Subject: [PATCH] vrend: check that the transfer iov holds enough data for the
+ data upload
+Closes #140
+Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
+Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
+Upstream-Status: Backport 
+[https://gitlab.freedesktop.org/virgl/virglrenderer/commit/2abeb1802e3c005b17a7123e382171b3fb665971]
+CVE: CVE-2019-18391
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ src/vrend_renderer.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
+index 694e1d0e..fe23846b 100644
+--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
+@@ -7005,15 +7005,22 @@ static int vrend_renderer_transfer_write_iov(struct vrend_context *ctx,
+             invert = true;
+       }
+ 
+      send_size = util_format_get_nblocks(res->base.format, info->box->width,
+                                          info->box->height) * elsize;
+      if (res->target == GL_TEXTURE_3D ||
+          res->target == GL_TEXTURE_2D_ARRAY ||
+          res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
+          send_size *= info->box->depth;
+
+       if (need_temp) {
+-         send_size = util_format_get_nblocks(res->base.format, info->box->width,
+-                                             info->box->height) * elsize * info->box->depth;
+          data = malloc(send_size);
+          if (!data)
+             return ENOMEM;
+          read_transfer_data(iov, num_iovs, data, res->base.format, info->offset,
+                             stride, layer_stride, info->box, invert);
+       } else {
+         if (send_size > iov[0].iov_len - info->offset)
+            return EINVAL;
+          data = (char*)iov[0].iov_base + info->offset;
+       }
+ 
+-- 
+2.24.1
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2020-8002.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2020-8002.patch
new file mode 100644
index 0000000000..925f2c8eb0
--- /dev/null
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2020-8002.patch
@@ -0,0 +1,39 @@
+From 63bcca251f093d83da7e290ab4bbd38ae69089b5 Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny@collabora.com>
+Date: Wed, 15 Jan 2020 13:43:58 +0100
+Subject: [PATCH] vrend: Don't try launching a grid if no CS is available
+Closes #155
+Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
+Reviewed-by: Gurchetan Singh <gurchetansingh@chromium.org>
+Upstream-Status: Backport 
+[https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/63bcca251f093d83da7e290ab4bbd38ae69089b5.patch]
+CVE: CVE-2020-8002
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ src/vrend_renderer.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
+index a054bad8..2280fc43 100644
+--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
+@@ -4604,6 +4604,13 @@ void vrend_launch_grid(struct vrend_context *ctx,
+       }
+       ctx->sub->shader_dirty = true;
+    }
+
+   if (!ctx->sub->prog) {
+      vrend_printf("%s: Skipping compute shader execution due to missing shaders: %s\n",
+                   __func__, ctx->debug_name);
+      return;
+   }
+
+    vrend_use_program(ctx, ctx->sub->prog->id);
+ 
+    vrend_draw_bind_ubo_shader(ctx, PIPE_SHADER_COMPUTE, 0);
+-- 
+2.24.1
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb
index d2b11c103a..e91ccc6c57 100644
--- a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb
@@ -8,6 +8,9 @@ DEPENDS = "libdrm mesa libepoxy"
 SRCREV = "48cc96c9aebb9d0164830a157efc8916f08f00c0"
 SRC_URI = "git://anongit.freedesktop.org/virglrenderer \
           file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \
+           file://CVE-2019-18390.patch \
+           file://CVE-2019-18391.patch \
+           file://CVE-2020-8002.patch  \
           "
 S = "${WORKDIR}/git"

diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18390.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18390.patch new file mode 100644 index 0000000000..ad61c95be3 --- /dev/null +++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18390.patch
@@ -0,0 +1,66 @@
		1	From 24f67de7a9088a873844a39be03cee6882260ac9 Mon Sep 17 00:00:00 2001
		2	From: Gert Wollny <gert.wollny@collabora.com>
		3	Date: Mon, 7 Oct 2019 10:59:56 +0200
		4	Subject: [PATCH] vrend: check info formats in blits
		5
		6	Closes #141
		7	Closes #142
		8
		9	v2 : drop colon in error description (Emil)
		10
		11	Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
		12	Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
		13
		14	Upstream-Status: Backport
		15	[https://gitlab.freedesktop.org/virgl/virglrenderer/commit/24f67de7a9088a873844a39be03cee6882260ac9]
		16	CVE: CVE-2019-18390
		17	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		18	---
		19	src/virgl_hw.h \| 1 +
		20	src/vrend_renderer.c \| 11 +++++++++++
		21	2 files changed, 12 insertions(+)
		22
		23	diff --git a/src/virgl_hw.h b/src/virgl_hw.h
		24	index 145780bf..5ccf3073 100644
		25	--- a/src/virgl_hw.h
		26	+++ b/src/virgl_hw.h
		27	@@ -426,6 +426,7 @@ enum virgl_ctx_errors {
		28	VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER,
		29	VIRGL_ERROR_CTX_GLES_HAVE_TES_BUT_MISS_TCS,
		30	VIRGL_ERROR_GL_ANY_SAMPLES_PASSED,
		31	+ VIRGL_ERROR_CTX_ILLEGAL_FORMAT,
		32	};
		33
		34	#define VIRGL_RESOURCE_Y_0_TOP (1 << 0)
		35	diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
		36	index 14fefb38..aa6a89c1 100644
		37	--- a/src/vrend_renderer.c
		38	+++ b/src/vrend_renderer.c
		39	@@ -758,6 +758,7 @@ static const char *vrend_ctx_error_strings[] = {
		40	[VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER] = "Illegal command buffer",
		41	[VIRGL_ERROR_CTX_GLES_HAVE_TES_BUT_MISS_TCS] = "On GLES context and shader program has tesselation evaluation shader but no tesselation control shader",
		42	[VIRGL_ERROR_GL_ANY_SAMPLES_PASSED] = "Query for ANY_SAMPLES_PASSED not supported",
		43	+ [VIRGL_ERROR_CTX_ILLEGAL_FORMAT] = "Illegal format ID",
		44	};
		45
		46	static void __report_context_error(const char fname, struct vrend_context ctx,
		47	@@ -8492,6 +8493,16 @@ void vrend_renderer_blit(struct vrend_context *ctx,
		48	if (ctx->in_error)
		49	return;
		50
		51	+ if (!info->src.format \|\| (enum virgl_formats)info->src.format >= VIRGL_FORMAT_MAX) {
		52	+ report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_FORMAT, info->src.format);
		53	+ return;
		54	+ }
		55	+
		56	+ if (!info->dst.format \|\| (enum virgl_formats)info->dst.format >= VIRGL_FORMAT_MAX) {
		57	+ report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_FORMAT, info->dst.format);
		58	+ return;
		59	+ }
		60	+
		61	if (info->render_condition_enable == false)
		62	vrend_pause_render_condition(ctx, true);
		63
		64	--
		65	2.24.1
		66


diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18391.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18391.patch new file mode 100644 index 0000000000..cc641d8293 --- /dev/null +++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18391.patch
@@ -0,0 +1,51 @@
		1	From 2abeb1802e3c005b17a7123e382171b3fb665971 Mon Sep 17 00:00:00 2001
		2	From: Gert Wollny <gert.wollny@collabora.com>
		3	Date: Tue, 8 Oct 2019 17:27:01 +0200
		4	Subject: [PATCH] vrend: check that the transfer iov holds enough data for the
		5	data upload
		6
		7	Closes #140
		8
		9	Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
		10	Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
		11
		12	Upstream-Status: Backport
		13	[https://gitlab.freedesktop.org/virgl/virglrenderer/commit/2abeb1802e3c005b17a7123e382171b3fb665971]
		14	CVE: CVE-2019-18391
		15	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		16	---
		17	src/vrend_renderer.c \| 11 +++++++++--
		18	1 file changed, 9 insertions(+), 2 deletions(-)
		19
		20	diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
		21	index 694e1d0e..fe23846b 100644
		22	--- a/src/vrend_renderer.c
		23	+++ b/src/vrend_renderer.c
		24	@@ -7005,15 +7005,22 @@ static int vrend_renderer_transfer_write_iov(struct vrend_context *ctx,
		25	invert = true;
		26	}
		27
		28	+ send_size = util_format_get_nblocks(res->base.format, info->box->width,
		29	+ info->box->height) * elsize;
		30	+ if (res->target == GL_TEXTURE_3D \|\|
		31	+ res->target == GL_TEXTURE_2D_ARRAY \|\|
		32	+ res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
		33	+ send_size *= info->box->depth;
		34	+
		35	if (need_temp) {
		36	- send_size = util_format_get_nblocks(res->base.format, info->box->width,
		37	- info->box->height) * elsize * info->box->depth;
		38	data = malloc(send_size);
		39	if (!data)
		40	return ENOMEM;
		41	read_transfer_data(iov, num_iovs, data, res->base.format, info->offset,
		42	stride, layer_stride, info->box, invert);
		43	} else {
		44	+ if (send_size > iov[0].iov_len - info->offset)
		45	+ return EINVAL;
		46	data = (char*)iov[0].iov_base + info->offset;
		47	}
		48
		49	--
		50	2.24.1
		51


diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2020-8002.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2020-8002.patch new file mode 100644 index 0000000000..925f2c8eb0 --- /dev/null +++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2020-8002.patch
@@ -0,0 +1,39 @@
		1	From 63bcca251f093d83da7e290ab4bbd38ae69089b5 Mon Sep 17 00:00:00 2001
		2	From: Gert Wollny <gert.wollny@collabora.com>
		3	Date: Wed, 15 Jan 2020 13:43:58 +0100
		4	Subject: [PATCH] vrend: Don't try launching a grid if no CS is available
		5
		6	Closes #155
		7
		8	Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
		9	Reviewed-by: Gurchetan Singh <gurchetansingh@chromium.org>
		10
		11	Upstream-Status: Backport
		12	[https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/63bcca251f093d83da7e290ab4bbd38ae69089b5.patch]
		13	CVE: CVE-2020-8002
		14	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		15	---
		16	src/vrend_renderer.c \| 7 +++++++
		17	1 file changed, 7 insertions(+)
		18
		19	diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
		20	index a054bad8..2280fc43 100644
		21	--- a/src/vrend_renderer.c
		22	+++ b/src/vrend_renderer.c
		23	@@ -4604,6 +4604,13 @@ void vrend_launch_grid(struct vrend_context *ctx,
		24	}
		25	ctx->sub->shader_dirty = true;
		26	}
		27	+
		28	+ if (!ctx->sub->prog) {
		29	+ vrend_printf("%s: Skipping compute shader execution due to missing shaders: %s\n",
		30	+ __func__, ctx->debug_name);
		31	+ return;
		32	+ }
		33	+
		34	vrend_use_program(ctx, ctx->sub->prog->id);
		35
		36	vrend_draw_bind_ubo_shader(ctx, PIPE_SHADER_COMPUTE, 0);
		37	--
		38	2.24.1
		39


diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb index d2b11c103a..e91ccc6c57 100644 --- a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb +++ b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb
@@ -8,6 +8,9 @@ DEPENDS = "libdrm mesa libepoxy"
8	SRCREV = "48cc96c9aebb9d0164830a157efc8916f08f00c0"	8	SRCREV = "48cc96c9aebb9d0164830a157efc8916f08f00c0"
9	SRC_URI = "git://anongit.freedesktop.org/virglrenderer \	9	SRC_URI = "git://anongit.freedesktop.org/virglrenderer \
10	file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \	10	file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \
		11	file://CVE-2019-18390.patch \
		12	file://CVE-2019-18391.patch \
		13	file://CVE-2020-8002.patch \
11	"	14	"
12		15
13	S = "${WORKDIR}/git"	16	S = "${WORKDIR}/git"