[Bug 65968] Massive memory corruption in Planetary Annihilation Alpha

Tue Feb 14 17:50:21 UTC 2017

https://bugs.freedesktop.org/show_bug.cgi?id=65968

Andreas Ringlstetter <andreas.ringlstetter at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #12 from Andreas Ringlstetter <andreas.ringlstetter at gmail.com> ---
It's a bug in PA itself, not in Mesa.

The root cause is a race condition on the shared buffer which is used to
transfer the rendered HTML UI from the Coherent host process back to PA.

There is a missing mutex inside PA when the buffer gets reallocated as a result
of a window resize event. Effectively, this results in a use-after-free by the
render thread of the PA process.

The faster the realloc, the lower the chance of this bug occurring.
It's also subject to possibly missing protections against use after free
conditions on previously shared buffers. And also to the memory allocation
strategy, as a reuse of the same memory region without a clear leads to the
most visible effect.

Unfortunately, various Mesa drivers so not wipe the video memory after a buffer
was returned to the global pool!

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/dri-devel/attachments/20170214/4951d98c/attachment-0001.html>