virglrenderer: fix CVE-2022-0135 and -0175

CVE-2022-0135 concerns out-of-bounds writes in read_transfer_data().
CVE-2022-0175 concerns using malloc() instead of calloc().

We "cherry-pick" from upstream.  The actual cherry-picks are from
upstream master to branch-0.9.1 and are the patches entered here.

(From OE-Core rev: 91f7511df79c5c1f93add9f2827a5a266453614e)

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Joe Slater
2022-02-09 15:36:50 -08:00
committed by Richard Purdie
parent e56ac9e229
commit c5c9fa771d
3 changed files with 226 additions and 0 deletions

View File

@@ -0,0 +1,117 @@
From 63aee871365f9c9e7fa9125672302a0fb250d34d Mon Sep 17 00:00:00 2001
From: Gert Wollny <gert.wollny@collabora.com>
Date: Tue, 30 Nov 2021 09:16:24 +0100
Subject: [PATCH 2/2] vrend: propperly check whether the shader image range is
correct
Also add a test to check the integer underflow.
Closes: #251
Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
cherry-pick from anongit.freedesktop.org/virglrenderer
commit 2aed5d4...
CVE: CVE-2022-0135
Upstream-Status: Backport
Signed-off-by: Joe Slater <joe.slater@windriver.com>
---
src/vrend_decode.c | 3 +-
tests/test_fuzzer_formats.c | 57 +++++++++++++++++++++++++++++++++++++
2 files changed, 59 insertions(+), 1 deletion(-)
diff --git a/src/vrend_decode.c b/src/vrend_decode.c
index 91f5f24..6771b10 100644
--- a/src/vrend_decode.c
+++ b/src/vrend_decode.c
@@ -1249,8 +1249,9 @@ static int vrend_decode_set_shader_images(struct vrend_context *ctx, const uint3
if (num_images < 1) {
return 0;
}
+
if (start_slot > PIPE_MAX_SHADER_IMAGES ||
- start_slot > PIPE_MAX_SHADER_IMAGES - num_images)
+ start_slot + num_images > PIPE_MAX_SHADER_IMAGES)
return EINVAL;
for (uint32_t i = 0; i < num_images; i++) {
diff --git a/tests/test_fuzzer_formats.c b/tests/test_fuzzer_formats.c
index 154a2e5..e32caf0 100644
--- a/tests/test_fuzzer_formats.c
+++ b/tests/test_fuzzer_formats.c
@@ -958,6 +958,61 @@ static void test_vrend_set_signle_abo_heap_overflow() {
virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
}
+static void test_vrend_set_shader_images_overflow()
+{
+ uint32_t num_shaders = PIPE_MAX_SHADER_IMAGES + 1;
+ uint32_t size = num_shaders * VIRGL_SET_SHADER_IMAGE_ELEMENT_SIZE + 3;
+ uint32_t cmd[size];
+ int i = 0;
+ cmd[i++] = ((size - 1)<< 16) | 0 << 8 | VIRGL_CCMD_SET_SHADER_IMAGES;
+ cmd[i++] = PIPE_SHADER_FRAGMENT;
+ memset(&cmd[i], 0, size - i);
+
+ virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
+}
+
+/* Test adapted from yaojun8558363@gmail.com:
+ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250
+*/
+static void test_vrend_3d_resource_overflow() {
+
+ struct virgl_renderer_resource_create_args resource;
+ resource.handle = 0x4c474572;
+ resource.target = PIPE_TEXTURE_2D_ARRAY;
+ resource.format = VIRGL_FORMAT_Z24X8_UNORM;
+ resource.nr_samples = 2;
+ resource.last_level = 0;
+ resource.array_size = 3;
+ resource.bind = VIRGL_BIND_SAMPLER_VIEW;
+ resource.depth = 1;
+ resource.width = 8;
+ resource.height = 4;
+ resource.flags = 0;
+
+ virgl_renderer_resource_create(&resource, NULL, 0);
+ virgl_renderer_ctx_attach_resource(ctx_id, resource.handle);
+
+ uint32_t size = 0x400;
+ uint32_t cmd[size];
+ int i = 0;
+ cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE;
+ cmd[i++] = resource.handle;
+ cmd[i++] = 0; // level
+ cmd[i++] = 0; // usage
+ cmd[i++] = 0; // stride
+ cmd[i++] = 0; // layer_stride
+ cmd[i++] = 0; // x
+ cmd[i++] = 0; // y
+ cmd[i++] = 0; // z
+ cmd[i++] = 8; // w
+ cmd[i++] = 4; // h
+ cmd[i++] = 3; // d
+ memset(&cmd[i], 0, size - i);
+
+ virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
+}
+
+
int main()
{
initialize_environment();
@@ -980,6 +1035,8 @@ int main()
test_cs_nullpointer_deference();
test_vrend_set_signle_abo_heap_overflow();
+ test_vrend_set_shader_images_overflow();
+ test_vrend_3d_resource_overflow();
virgl_renderer_context_destroy(ctx_id);
virgl_renderer_cleanup(&cookie);
--
2.25.1

View File

@@ -0,0 +1,107 @@
From 5ca7aca001092c557f0b6fc1ba3db7dcdab860b7 Mon Sep 17 00:00:00 2001
From: Gert Wollny <gert.wollny@collabora.com>
Date: Tue, 30 Nov 2021 09:29:42 +0100
Subject: [PATCH 1/2] vrend: clear memory when allocating a host-backed memory
resource
Closes: #249
Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
cherry-pick from anongit.freedesktop.org/virglrenderer
commit b05bb61...
CVE: CVE-2022-0175
Upstream-Status: Backport
Signed-off-by: Joe Slater <joe.slater@windriver.com>
---
src/vrend_renderer.c | 2 +-
tests/test_virgl_transfer.c | 51 +++++++++++++++++++++++++++++++++++++
2 files changed, 52 insertions(+), 1 deletion(-)
diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index b8b2a36..2650cf2 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -6788,7 +6788,7 @@ vrend_resource_alloc_buffer(struct vrend_resource *gr, uint32_t flags)
if (bind == VIRGL_BIND_CUSTOM) {
/* use iovec directly when attached */
gr->storage_bits |= VREND_STORAGE_HOST_SYSTEM_MEMORY;
- gr->ptr = malloc(size);
+ gr->ptr = calloc(1, size);
if (!gr->ptr)
return -ENOMEM;
} else if (bind == VIRGL_BIND_STAGING) {
diff --git a/tests/test_virgl_transfer.c b/tests/test_virgl_transfer.c
index bf7f438..3c53c3d 100644
--- a/tests/test_virgl_transfer.c
+++ b/tests/test_virgl_transfer.c
@@ -952,6 +952,56 @@ START_TEST(virgl_test_transfer_near_res_bounds_with_stride_succeeds)
}
END_TEST
+START_TEST(test_vrend_host_backed_memory_no_data_leak)
+{
+ struct iovec iovs[1];
+ int niovs = 1;
+
+ struct virgl_context ctx = {0};
+
+ int ret = testvirgl_init_ctx_cmdbuf(&ctx);
+
+ struct virgl_renderer_resource_create_args res;
+ res.handle = 0x400;
+ res.target = PIPE_BUFFER;
+ res.format = VIRGL_FORMAT_R8_UNORM;
+ res.nr_samples = 0;
+ res.last_level = 0;
+ res.array_size = 1;
+ res.bind = VIRGL_BIND_CUSTOM;
+ res.depth = 1;
+ res.width = 32;
+ res.height = 1;
+ res.flags = 0;
+
+ uint32_t size = 32;
+ uint8_t* data = calloc(1, size);
+ memset(data, 1, 32);
+ iovs[0].iov_base = data;
+ iovs[0].iov_len = size;
+
+ struct pipe_box box = {0,0,0, size, 1,1};
+
+ virgl_renderer_resource_create(&res, NULL, 0);
+ virgl_renderer_ctx_attach_resource(ctx.ctx_id, res.handle);
+
+ ret = virgl_renderer_transfer_read_iov(res.handle, ctx.ctx_id, 0, 0, 0,
+ (struct virgl_box *)&box, 0, iovs, niovs);
+
+ ck_assert_int_eq(ret, 0);
+
+ for (int i = 0; i < 32; ++i)
+ ck_assert_int_eq(data[i], 0);
+
+ virgl_renderer_ctx_detach_resource(1, res.handle);
+
+ virgl_renderer_resource_unref(res.handle);
+ free(data);
+
+}
+END_TEST
+
+
static Suite *virgl_init_suite(void)
{
Suite *s;
@@ -981,6 +1031,7 @@ static Suite *virgl_init_suite(void)
tcase_add_test(tc_core, virgl_test_transfer_buffer_bad_strides);
tcase_add_test(tc_core, virgl_test_transfer_2d_array_bad_layer_stride);
tcase_add_test(tc_core, virgl_test_transfer_2d_bad_level);
+ tcase_add_test(tc_core, test_vrend_host_backed_memory_no_data_leak);
tcase_add_loop_test(tc_core, virgl_test_transfer_res_read_valid, 0, PIPE_MAX_TEXTURE_TYPES);
tcase_add_loop_test(tc_core, virgl_test_transfer_res_write_valid, 0, PIPE_MAX_TEXTURE_TYPES);
--
2.25.1

View File

@@ -12,6 +12,8 @@ DEPENDS = "libdrm virtual/libgl virtual/libgbm libepoxy"
SRCREV = "363915595e05fb252e70d6514be2f0c0b5ca312b"
SRC_URI = "git://anongit.freedesktop.org/virglrenderer;branch=branch-0.9.1 \
file://0001-meson.build-use-python3-directly-for-python.patch \
file://cve-2022-0135.patch \
file://cve-2022-0175.patch \
"
S = "${WORKDIR}/git"