<div dir="ltr">On 2 January 2014 03:58, Tapani Pälli <<a href="mailto:tapani.palli@intel.com" target="_blank">tapani.palli@intel.com</a>> wrote: <div class="gmail_extra"><div class="gmail_quote"> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">+ + +/** + * Reads header part of the binary blob. Main purpose of this header is to + * validate that cached shader was produced with same Mesa driver version. + */ +int +ir_deserializer::read_header(struct gl_shader *shader) +{ + char *cache_magic_id = map->read_string(); + char *driver_vendor = map->read_string(); + char *driver_renderer = map->read_string(); + + /* only used or debug output, silence compiler warning */ + (void) driver_vendor; + (void) driver_renderer; </blockquote><div> </div><div>A single version of Mesa potentially supports many different hardware types, and those different hardware types may define different values of GLSL built-in constants. They also may require core Mesa to do different sets of lowering passes during compilation. So we can't just ignore driver_vendor and driver_renderer. We need to reject the binary blob if they don't match. </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> + + shader->Version = map->read_uint32_t(); + shader->Type = map->read_uint32_t(); + shader->IsES = map->read_uint8_t(); + + CACHE_DEBUG("%s: version %d, type 0x%x, %s (mesa %s)\n[%s %s]\n", + __func__, shader->Version, shader->Type, + (shader->IsES) ? "glsl es" : "desktop glsl", + cache_magic_id, driver_vendor, driver_renderer); + + const char *magic = mesa_get_shader_cache_magic(); + + if (memcmp(cache_magic_id, magic, strlen(magic))) + return DIFFERENT_MESA_VER; </blockquote><div> </div><div>If cache_magic_id is "foobar" and magic is "foo", this will erroneusly consider them equal. The correct way to do this is to use strcmp(). </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> + + /* post-link data */ + shader->num_samplers = map->read_uint32_t(); + shader->active_samplers = map->read_uint32_t(); + shader->shadow_samplers = map->read_uint32_t(); + shader->num_uniform_components = map->read_uint32_t(); + shader->num_combined_uniform_components = map->read_uint32_t(); + shader->uses_builtin_functions = map->read_uint8_t(); + + map->read(&shader->Geom, sizeof(shader->Geom)); + + for (unsigned i = 0; i < MAX_SAMPLERS; i++) + shader->SamplerUnits[i] = map->read_uint8_t(); + + for (unsigned i = 0; i < MAX_SAMPLERS; i++) + shader->SamplerTargets[i] = (gl_texture_index) map->read_int32_t(); + + return 0; +} + + +const glsl_type * +ir_deserializer::read_glsl_type() +{ + char *name = map->read_string(); + uint32_t type_size = map->read_uint32_t(); + + const glsl_type *existing_type = + state->symbols->get_type(name); + + /* if type exists, move read pointer forward and return type */ + if (existing_type) { + map->ffwd(type_size); + return existing_type; + } + + uint8_t base_type = map->read_uint8_t(); + uint32_t length = map->read_uint32_t(); + uint8_t vector_elms = map->read_uint8_t(); + uint8_t matrix_cols = map->read_uint8_t(); + uint8_t interface_packing = map->read_uint8_t(); + + /* array type has additional element_type information */ + if (base_type == GLSL_TYPE_ARRAY) { + const glsl_type *element_type = read_glsl_type(); + if (!element_type) { + CACHE_DEBUG("error reading array element type\n"); + return NULL; + } + return glsl_type::get_array_instance(element_type, length); + } + + /* structures have fields containing of names and types */ + else if (base_type == GLSL_TYPE_STRUCT || + base_type == GLSL_TYPE_INTERFACE) { + glsl_struct_field *fields = ralloc_array(mem_ctx, + glsl_struct_field, length); + + if (!fields) + return glsl_type::error_type; + + for (unsigned k = 0; k < length; k++) { + uint8_t row_major, interpolation, centroid; + int32_t location; + char *field_name = map->read_string(); + fields[k].name = _mesa_strdup(field_name); + fields[k].type = read_glsl_type(); + row_major = map->read_uint8_t(); + location = map->read_int32_t(); + interpolation = map->read_uint8_t(); + centroid = map->read_uint8_t(); + fields[k].row_major = row_major; + fields[k].location = location; + fields[k].interpolation = interpolation; + fields[k].centroid = centroid; </blockquote><div> </div><div>Another security issue: if the binary blob is corrupted, length may be outrageously large (e.g. 0xffffffff). We need a way for this loop to bail out and exit if it tries to read past the end of the binary blob. </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> + } + + const glsl_type *ret_type = NULL; + + if (base_type == GLSL_TYPE_STRUCT) + ret_type = glsl_type::get_record_instance(fields, length, name); + else if (base_type == GLSL_TYPE_INTERFACE) + ret_type = glsl_type::get_interface_instance(fields, + length, (glsl_interface_packing) interface_packing, name); + + /* free allocated memory */ + for (unsigned k = 0; k < length; k++) + free((void *)fields[k].name); + ralloc_free(fields); + + return ret_type; + } + + return glsl_type::get_instance(base_type, vector_elms, matrix_cols); +} + + +ir_instruction * +ir_deserializer::read_ir_variable() +{ + const glsl_type *type = read_glsl_type(); + + char *name = map->read_string(); + int64_t unique_id = map->read_int64_t(); + uint8_t mode = map->read_uint8_t(); + + ir_variable *var = new(mem_ctx)ir_variable(type, + name, (ir_variable_mode) mode); + + if (!var) + return NULL; + + map->read(&var->data, sizeof(var->data)); + + var->num_state_slots = map->read_uint32_t(); + uint8_t has_constant_value = map->read_uint8_t(); + uint8_t has_constant_initializer = map->read_uint8_t(); + + var->state_slots = NULL; + + if (var->num_state_slots > 0) { + var->state_slots = ralloc_array(var, ir_state_slot, + var->num_state_slots); </blockquote><div> </div><div>Security issue: if the shader blob is corrupted, num_state_slots could be outrageously large, causing this memory allocation to fail (which would then cause the loop below to perform illegal memory accesses). We should validate that num_state_slots is within a reasonable range, and if it isn't, abort reading the binary blob. </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> + + for (unsigned i = 0; i < var->num_state_slots; i++) { + var->state_slots[i].swizzle = map->read_int32_t(); + for (int j = 0; j < 5; j++) { + var->state_slots[i].tokens[j] = map->read_int32_t(); + } + } + } + + if (has_constant_value) + var->constant_value = read_ir_constant(); + + if (has_constant_initializer) + var->constant_initializer = read_ir_constant(); + + uint8_t has_interface_type = map->read_uint8_t(); + + if (has_interface_type) + var->init_interface_type(read_glsl_type()); + + /** + * Store address to this variable so that variable + * dereference readers can find it later. + */ + _mesa_hash_table_insert(var_ht, hash_value, + (void*) (intptr_t) unique_id, var); + + return var; +} + + +ir_instruction * +ir_deserializer::read_ir_function(bool prototypes_only) +{ + uint8_t is_builtin = 0; + uint8_t ir_type; + uint32_t len; + + char *name = map->read_string(); + uint32_t num_signatures = map->read_uint32_t(); + + ir_function *f = new(mem_ctx) ir_function(name); + ir_function_signature *sig = NULL; + + /* add all signatures to the function */ + for (unsigned j = 0; j < num_signatures; j++) { </blockquote><div> </div><div>Security issue: if the blob is corrupted, num_signatures may be outrageously large. We need a way for this loop to bail out if we try to read past the end of the blob. </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> + + /* ir_function_signature */ + ir_type = map->read_uint8_t(); + len = map->read_uint32_t(); + + /* used for debugging */ + (void) ir_type; + (void) len; </blockquote><div> </div><div>This is a nice opportunity to do some validation and detect corrupted blobs. I think we should go ahead and do that. </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> + + is_builtin = map->read_uint8_t(); + + CACHE_DEBUG("%s: [%s] (is_builtin %d)\n", __func__, name, is_builtin); + + const glsl_type *return_type = read_glsl_type(); + + if (!return_type) { + CACHE_DEBUG("no return type found for [%s]\n", name); + return NULL; + } + + sig = new(mem_ctx) ir_function_signature(return_type); + + /* fill parameters for function signature */ + if (deserialize_list(&sig->parameters)) + goto read_errors; + + /* fill instructions for the function body */ + if (!prototypes_only) { + uint32_t body_count = map->read_uint32_t(); + for (unsigned k = 0; k < body_count; k++) + if (read_instruction(&sig->body, is_builtin ? true : false)) + goto read_errors; + sig->is_defined = body_count ? 1 : 0; + } + + if (!is_builtin) { + f->add_signature(sig); + } else { + ir_function_signature *builtin_sig = + _mesa_glsl_find_builtin_function(state, name, &sig->parameters); + + if (builtin_sig) { + CACHE_DEBUG("found builtin signature for [%s]\n", name); + f->add_signature(sig); + } else { + CACHE_DEBUG("cannot find builtin, function [%s]\n", name); + return NULL; + } + } + + } /* for each function signature */ + + CACHE_DEBUG("added %s function [%s]\n", + is_builtin ? "builtin" : "user", name); + + return f; + +read_errors: + CACHE_DEBUG("%s: read errors with [%s]\n", __func__, name); + if (sig) + ralloc_free(sig); + return NULL; + +} + + +ir_dereference_array * +ir_deserializer::read_ir_dereference_array() +{ + uint8_t ir_type = map->read_uint8_t(); + uint32_t len = map->read_uint32_t(); + + /* used for debugging */ + (void) ir_type; + (void) len; </blockquote><div> </div><div>We should validate these too. Similar comments apply throughout this file. </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> + + CACHE_DEBUG("%s: ir_type %d len %d\n", __func__, ir_type, len); + + ir_rvalue *array_rval = read_ir_rvalue(); + ir_rvalue *index_rval = read_ir_rvalue(); + + if (array_rval && index_rval) + return new(mem_ctx) ir_dereference_array(array_rval, index_rval); + + CACHE_DEBUG("%s: could not get rvalues", __func__); + return NULL; +} + + + + +ir_constant * +ir_deserializer::read_ir_constant() +{ + ir_constant *con = NULL; + uint8_t ir_type = map->read_uint8_t(); + uint32_t len = map->read_uint32_t(); + + /* used for debugging */ + (void) ir_type; + (void) len; + + const glsl_type *constant_type = read_glsl_type(); + + /* data structure */ + ir_constant_data data; + map->read(&data, sizeof(data)); + + con = new(mem_ctx) ir_constant(constant_type, &data); + + /* constant with array of constants */ + if (constant_type->base_type == GLSL_TYPE_ARRAY) { + con->array_elements = ralloc_array(mem_ctx, ir_constant *, + constant_type->length); + + for (unsigned i = 0; i < constant_type->length; i++) + con->array_elements[i] = read_ir_constant(); </blockquote><div> </div><div>Security issue: if the blob is corrupted, constant_type->length might be outrageously large. We need a way for this loop to terminate if we try to read past the end of the blob. </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> + + } else if (constant_type->base_type == GLSL_TYPE_STRUCT) { + if (deserialize_list(&con->components)) { + ralloc_free(con); + return NULL; + } + } + + return con; +} + + + + +/** + * Go through the blob and read prototypes for the functions + */ +int +ir_deserializer::read_prototypes(unsigned list_len) +{ + uint32_t ir_start = map->position(); + + for (unsigned k = 0; k < list_len; k++) { </blockquote><div> </div><div>Security issue: we need a way for this loop to exit if we try to read beyond the end of the blob. </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> + /* peek type of next instruction */ </blockquote><div> </div><div>"peek" implies that you're going to look at the data but not advance the read pointer. But it looks like you're advancing the read pointer anyhow. Which is correct, the code or the comment? </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> + uint8_t ir_type = map->read_uint8_t(); + uint32_t len = map->read_uint32_t(); + + /* ignore if not ir_function */ + if (ir_type != ir_type_function) { + map->ffwd(len); + continue; + } + + ir_instruction *func = read_ir_function(true); + if (!func) + return -1; + + prototypes->push_tail(func); + } + + /* go back to beginning */ + map->jump(ir_start); + return 0; +} + + +struct gl_shader * +ir_deserializer::deserialize(void *mem_ctx, memory_map *map, + uint32_t shader_size, int *error_code) +{ + int error = 0; + + *error_code = ir_deserializer::GENERAL_READ_ERROR; + + this->map = map; + + uint32_t type = map->read_uint32_t(); + uint32_t exec_list_len; + + GET_CURRENT_CONTEXT(ctx); + struct gl_shader *shader = ctx->Driver.NewShader(NULL, 0, type); + + if (!shader) + return NULL; + + shader->Source = NULL; + shader->Label = NULL; + shader->InfoLog = ralloc_strdup(mem_ctx, ""); + shader->ir = NULL; + + if (read_header(shader)) { + *error_code = ir_deserializer::DIFFERENT_MESA_VER; + goto error_deserialize; + } + + /** + * parse state is used to find builtin functions and + * existing types during reading + */ + state = new(mem_ctx) _mesa_glsl_parse_state(ctx, shader->Type, shader); + + /* fill parse state from shader header information */ + switch (shader->Type) { + case GL_VERTEX_SHADER: + state->target = MESA_SHADER_VERTEX; + break; + case GL_FRAGMENT_SHADER: + state->target = MESA_SHADER_FRAGMENT; + break; + case GL_GEOMETRY_SHADER_ARB: + state->target = MESA_SHADER_GEOMETRY; + break; </blockquote><div> </div><div>There should be a default case here to handle corrupted blobs with an illegal type. </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> + } + + state->uses_builtin_functions = true; + _mesa_glsl_initialize_builtin_functions(); + _mesa_glsl_initialize_types(state); + + /* allocations during reading */ + this->mem_ctx = mem_ctx; + + prototypes = new(mem_ctx) exec_list; + shader->ir = new(shader) exec_list; + + exec_list_len = map->read_uint32_t(); + + error = read_prototypes(exec_list_len); + + CACHE_DEBUG("reading %d IR instructions\n", exec_list_len); + + /* top level exec_list read loop, constructs a new list */ + while(map->position() < shader_size && error == 0) + error = read_instruction(shader->ir); + + ralloc_free(prototypes); + + if (error) + goto error_deserialize; + + *error_code = 0; + + shader->CompileStatus = GL_TRUE; + + /* allocates glsl_symbol_table internally */ + populate_symbol_table(shader); + + validate_ir_tree(shader->ir); + + CACHE_DEBUG("shader from cache\n"); + + return shader; + +error_deserialize: + ralloc_free(shader); + return NULL; +} </blockquote></div></div></div>