virglrenderer: fix CVE-2022-0135

(From OE-Core rev: 5eea0b24c6fcd90aab0737c7a3f7431535a02890) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Chee Yang Lee <chee.yang.lee@intel.com> 2022-09-13 11:47:39 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-09-16 17:53:28 +0100
commit: 0781ad69b8998a1f9e40fc9f5e67a1f8e518ef5f (patch)
tree: 014ce6be07f6ee1f228071f41caab4e991158d61 /meta
parent: 9ca32cf9abc3fe99313c37e964bca70f3d599a6d (diff)
download: poky-0781ad69b8998a1f9e40fc9f5e67a1f8e518ef5f.tar.gz
2 files changed, 101 insertions, 0 deletions
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch
new file mode 100644
index 0000000000..4a277bd4d0
--- /dev/null
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch
@@ -0,0 +1,100 @@
+From 95e581fd181b213c2ed7cdc63f2abc03eaaa77ec Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny@collabora.com>
+Date: Tue, 30 Nov 2021 10:17:26 +0100
+Subject: [PATCH] vrend: Add test to resource OOB write and fix it
+v2: Also check that no depth != 1 has been send when none is due
+Closes: #250
+Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
+Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
+https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec
+Upstream-Status: Backport
+CVE: CVE-2022-0135
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ src/vrend_renderer.c        |  3 +++
+ tests/test_fuzzer_formats.c | 43 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 46 insertions(+)
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
+index 28f669727..357b81b20 100644
+--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
+@@ -7833,8 +7833,11 @@ static int vrend_renderer_transfer_write_iov(struct vrend_context *ctx,
+                                           info->box->height) * elsize;
+       if (res->target == GL_TEXTURE_3D ||
+           res->target == GL_TEXTURE_2D_ARRAY ||
+          res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY ||
+           res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
+           send_size *= info->box->depth;
+      else if (need_temp && info->box->depth != 1)
+         return EINVAL;
+ 
+       if (need_temp) {
+          data = malloc(send_size);
+diff --git a/tests/test_fuzzer_formats.c b/tests/test_fuzzer_formats.c
+index 59d6fb671..2de9a9a3f 100644
+--- a/tests/test_fuzzer_formats.c
+++ b/tests/test_fuzzer_formats.c
+@@ -957,6 +957,48 @@ static void test_vrend_set_signle_abo_heap_overflow() {
+     virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
+ }
+ 
+/* Test adapted from yaojun8558363@gmail.com:
+ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250
+*/
+static void test_vrend_3d_resource_overflow() {
+
+    struct virgl_renderer_resource_create_args resource;
+    resource.handle = 0x4c474572;
+    resource.target = PIPE_TEXTURE_2D_ARRAY;
+    resource.format = VIRGL_FORMAT_Z24X8_UNORM;
+    resource.nr_samples = 2;
+    resource.last_level = 0;
+    resource.array_size = 3;
+    resource.bind = VIRGL_BIND_SAMPLER_VIEW;
+    resource.depth = 1;
+    resource.width = 8;
+    resource.height = 4;
+    resource.flags = 0;
+
+    virgl_renderer_resource_create(&resource, NULL, 0);
+    virgl_renderer_ctx_attach_resource(ctx_id, resource.handle);
+
+    uint32_t size = 0x400;
+    uint32_t cmd[size];
+    int i = 0;
+    cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE;
+    cmd[i++] = resource.handle;
+    cmd[i++] = 0; // level
+    cmd[i++] = 0; // usage
+    cmd[i++] = 0; // stride
+    cmd[i++] = 0; // layer_stride
+    cmd[i++] = 0; // x
+    cmd[i++] = 0; // y
+    cmd[i++] = 0; // z
+    cmd[i++] = 8; // w
+    cmd[i++] = 4; // h
+    cmd[i++] = 3; // d
+    memset(&cmd[i], 0, size - i);
+
+    virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
+}
+
+
+ int main()
+ {
+    initialize_environment();
+@@ -979,6 +1021,7 @@ int main()
+    test_cs_nullpointer_deference();
+    test_vrend_set_signle_abo_heap_overflow();
+ 
+   test_vrend_3d_resource_overflow();
+ 
+    virgl_renderer_context_destroy(ctx_id);
+    virgl_renderer_cleanup(&cookie);
+-- 
+GitLab
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
index 31c45ef89c..8185d6f7e8 100644
--- a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
@@ -13,6 +13,7 @@ SRCREV = "7d204f3927be65fb3365dce01dbcd04d447a4985"
 SRC_URI = "git://anongit.freedesktop.org/git/virglrenderer;branch=master \
           file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \
           file://0001-meson.build-use-python3-directly-for-python.patch \
+           file://CVE-2022-0135.patch \
           "
 S = "${WORKDIR}/git"
author	Chee Yang Lee <chee.yang.lee@intel.com>	2022-09-13 11:47:39 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-09-16 17:53:28 +0100
commit	0781ad69b8998a1f9e40fc9f5e67a1f8e518ef5f (patch)
tree	014ce6be07f6ee1f228071f41caab4e991158d61 /meta
parent	9ca32cf9abc3fe99313c37e964bca70f3d599a6d (diff)
download	poky-0781ad69b8998a1f9e40fc9f5e67a1f8e518ef5f.tar.gz

diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch new file mode 100644 index 0000000000..4a277bd4d0 --- /dev/null +++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch
@@ -0,0 +1,100 @@
		1	From 95e581fd181b213c2ed7cdc63f2abc03eaaa77ec Mon Sep 17 00:00:00 2001
		2	From: Gert Wollny <gert.wollny@collabora.com>
		3	Date: Tue, 30 Nov 2021 10:17:26 +0100
		4	Subject: [PATCH] vrend: Add test to resource OOB write and fix it
		5
		6	v2: Also check that no depth != 1 has been send when none is due
		7
		8	Closes: #250
		9	Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
		10	Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
		11
		12	https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec
		13	Upstream-Status: Backport
		14	CVE: CVE-2022-0135
		15	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		16	---
		17	src/vrend_renderer.c \| 3 +++
		18	tests/test_fuzzer_formats.c \| 43 +++++++++++++++++++++++++++++++++++++
		19	2 files changed, 46 insertions(+)
		20
		21	diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
		22	index 28f669727..357b81b20 100644
		23	--- a/src/vrend_renderer.c
		24	+++ b/src/vrend_renderer.c
		25	@@ -7833,8 +7833,11 @@ static int vrend_renderer_transfer_write_iov(struct vrend_context *ctx,
		26	info->box->height) * elsize;
		27	if (res->target == GL_TEXTURE_3D \|\|
		28	res->target == GL_TEXTURE_2D_ARRAY \|\|
		29	+ res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY \|\|
		30	res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
		31	send_size *= info->box->depth;
		32	+ else if (need_temp && info->box->depth != 1)
		33	+ return EINVAL;
		34
		35	if (need_temp) {
		36	data = malloc(send_size);
		37	diff --git a/tests/test_fuzzer_formats.c b/tests/test_fuzzer_formats.c
		38	index 59d6fb671..2de9a9a3f 100644
		39	--- a/tests/test_fuzzer_formats.c
		40	+++ b/tests/test_fuzzer_formats.c
		41	@@ -957,6 +957,48 @@ static void test_vrend_set_signle_abo_heap_overflow() {
		42	virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
		43	}
		44
		45	+/* Test adapted from yaojun8558363@gmail.com:
		46	+ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250
		47	+*/
		48	+static void test_vrend_3d_resource_overflow() {
		49	+
		50	+ struct virgl_renderer_resource_create_args resource;
		51	+ resource.handle = 0x4c474572;
		52	+ resource.target = PIPE_TEXTURE_2D_ARRAY;
		53	+ resource.format = VIRGL_FORMAT_Z24X8_UNORM;
		54	+ resource.nr_samples = 2;
		55	+ resource.last_level = 0;
		56	+ resource.array_size = 3;
		57	+ resource.bind = VIRGL_BIND_SAMPLER_VIEW;
		58	+ resource.depth = 1;
		59	+ resource.width = 8;
		60	+ resource.height = 4;
		61	+ resource.flags = 0;
		62	+
		63	+ virgl_renderer_resource_create(&resource, NULL, 0);
		64	+ virgl_renderer_ctx_attach_resource(ctx_id, resource.handle);
		65	+
		66	+ uint32_t size = 0x400;
		67	+ uint32_t cmd[size];
		68	+ int i = 0;
		69	+ cmd[i++] = (size - 1) << 16 \| 0 << 8 \| VIRGL_CCMD_RESOURCE_INLINE_WRITE;
		70	+ cmd[i++] = resource.handle;
		71	+ cmd[i++] = 0; // level
		72	+ cmd[i++] = 0; // usage
		73	+ cmd[i++] = 0; // stride
		74	+ cmd[i++] = 0; // layer_stride
		75	+ cmd[i++] = 0; // x
		76	+ cmd[i++] = 0; // y
		77	+ cmd[i++] = 0; // z
		78	+ cmd[i++] = 8; // w
		79	+ cmd[i++] = 4; // h
		80	+ cmd[i++] = 3; // d
		81	+ memset(&cmd[i], 0, size - i);
		82	+
		83	+ virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
		84	+}
		85	+
		86	+
		87	int main()
		88	{
		89	initialize_environment();
		90	@@ -979,6 +1021,7 @@ int main()
		91	test_cs_nullpointer_deference();
		92	test_vrend_set_signle_abo_heap_overflow();
		93
		94	+ test_vrend_3d_resource_overflow();
		95
		96	virgl_renderer_context_destroy(ctx_id);
		97	virgl_renderer_cleanup(&cookie);
		98	--
		99	GitLab
		100


diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb index 31c45ef89c..8185d6f7e8 100644 --- a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb +++ b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
@@ -13,6 +13,7 @@ SRCREV = "7d204f3927be65fb3365dce01dbcd04d447a4985"
13	SRC_URI = "git://anongit.freedesktop.org/git/virglrenderer;branch=master \	13	SRC_URI = "git://anongit.freedesktop.org/git/virglrenderer;branch=master \
14	file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \	14	file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \
15	file://0001-meson.build-use-python3-directly-for-python.patch \	15	file://0001-meson.build-use-python3-directly-for-python.patch \
		16	file://CVE-2022-0135.patch \
16	"	17	"
17		18
18	S = "${WORKDIR}/git"	19	S = "${WORKDIR}/git"