Skip to content

virglrenderer: fix CVE-2022-0135 #3674

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Sep 2, 2022
Merged

virglrenderer: fix CVE-2022-0135 #3674

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2da9e7f
`virglrenderer`: fix CVE-2022-0135
hbeberman Sep 1, 2022
02d5b2f
Update virglrenderer Source0 URL to simplify it
hbeberman Sep 2, 2022
ef1b8bf
Add virglrenderer to cgmanifest validation skip list until fixed
hbeberman Sep 2, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
95 changes: 95 additions & 0 deletions SPECS/virglrenderer/CVE-2022-0135.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
From 95e581fd181b213c2ed7cdc63f2abc03eaaa77ec Mon Sep 17 00:00:00 2001
From: Gert Wollny <[email protected]>
Date: Tue, 30 Nov 2021 10:17:26 +0100
Subject: [PATCH] vrend: Add test to resource OOB write and fix it

v2: Also check that no depth != 1 has been send when none is due

Closes: #250
Signed-off-by: Gert Wollny <[email protected]>
Reviewed-by: Chia-I Wu <[email protected]>
---
src/vrend_renderer.c | 3 +++
tests/test_fuzzer_formats.c | 43 +++++++++++++++++++++++++++++++++++++
2 files changed, 46 insertions(+)

diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index 28f669727..357b81b20 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -7833,8 +7833,11 @@ static int vrend_renderer_transfer_write_iov(struct vrend_context *ctx,
info->box->height) * elsize;
if (res->target == GL_TEXTURE_3D ||
res->target == GL_TEXTURE_2D_ARRAY ||
+ res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY ||
res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
send_size *= info->box->depth;
+ else if (need_temp && info->box->depth != 1)
+ return EINVAL;

if (need_temp) {
data = malloc(send_size);
diff --git a/tests/test_fuzzer_formats.c b/tests/test_fuzzer_formats.c
index 59d6fb671..2de9a9a3f 100644
--- a/tests/test_fuzzer_formats.c
+++ b/tests/test_fuzzer_formats.c
@@ -957,6 +957,48 @@ static void test_vrend_set_signle_abo_heap_overflow() {
virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
}

+/* Test adapted from [email protected]:
+ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250
+*/
+static void test_vrend_3d_resource_overflow() {
+
+ struct virgl_renderer_resource_create_args resource;
+ resource.handle = 0x4c474572;
+ resource.target = PIPE_TEXTURE_2D_ARRAY;
+ resource.format = VIRGL_FORMAT_Z24X8_UNORM;
+ resource.nr_samples = 2;
+ resource.last_level = 0;
+ resource.array_size = 3;
+ resource.bind = VIRGL_BIND_SAMPLER_VIEW;
+ resource.depth = 1;
+ resource.width = 8;
+ resource.height = 4;
+ resource.flags = 0;
+
+ virgl_renderer_resource_create(&resource, NULL, 0);
+ virgl_renderer_ctx_attach_resource(ctx_id, resource.handle);
+
+ uint32_t size = 0x400;
+ uint32_t cmd[size];
+ int i = 0;
+ cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE;
+ cmd[i++] = resource.handle;
+ cmd[i++] = 0; // level
+ cmd[i++] = 0; // usage
+ cmd[i++] = 0; // stride
+ cmd[i++] = 0; // layer_stride
+ cmd[i++] = 0; // x
+ cmd[i++] = 0; // y
+ cmd[i++] = 0; // z
+ cmd[i++] = 8; // w
+ cmd[i++] = 4; // h
+ cmd[i++] = 3; // d
+ memset(&cmd[i], 0, size - i);
+
+ virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
+}
+
+
int main()
{
initialize_environment();
@@ -979,6 +1021,7 @@ int main()
test_cs_nullpointer_deference();
test_vrend_set_signle_abo_heap_overflow();

+ test_vrend_3d_resource_overflow();

virgl_renderer_context_destroy(ctx_id);
virgl_renderer_cleanup(&cookie);
--
GitLab

8 changes: 6 additions & 2 deletions SPECS/virglrenderer/virglrenderer.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@
Summary: Virgl Rendering library.
Name: virglrenderer
Version: 0.9.1
Release: 1%{?dist}
Release: 2%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
URL: https://gitlab.freedesktop.org/virgl/virglrenderer
Source0: %{url}/-/archive/%{name}-%{version}/%{name}-%{name}-%{version}.tar.gz
Patch0: CVE-2022-0135.patch

BuildRequires: libdrm-devel
BuildRequires: libepoxy-devel
Expand Down Expand Up @@ -38,7 +39,7 @@ that can be used along with the mesa virgl
driver to test virgl rendering without GL.

%prep
%autosetup -n %{name}-%{name}-%{version}
%autosetup -p1 -n %{name}-%{name}-%{version}

%build
%meson
Expand All @@ -64,6 +65,9 @@ driver to test virgl rendering without GL.
%{_bindir}/virgl_test_server

%changelog
* Thu Sep 01 2022 Henry Beberman <[email protected]> - 0.9.1-2
- Apply CVE-2022-0135 patch from upstream.

* Tue Nov 30 2021 Pawel Winogrodzki <[email protected]> - 0.9.1-1
- Updating to version 0.9.1.
- License verified.
Expand Down