Mesa (9.1): i965: fix problem with constant out of bounds access (v3)
Ian Romanick
idr at kemper.freedesktop.org
Wed Jun 26 17:58:38 UTC 2013
Module: Mesa
Branch: 9.1
Commit: 039cf3aaf23b151d22cb3587062be052a16272a4
URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=039cf3aaf23b151d22cb3587062be052a16272a4
Author: Dave Airlie <airlied at gmail.com>
Date: Thu May 30 20:21:56 2013 +1000
i965: fix problem with constant out of bounds access (v3)
Okay I now understand why Frank would want to run away, this is
my attempt at fixing the CVE out of bounds access to constants
outside the range. This attempt converts any illegal constants
to constant 0 as per the GL spec, and is undefined behaviour.
A future patch should add some debug for users to find this out,
but this needs to be backported to stable branches.
CVE-2013-1872
v2: drop the last hunk which was a separate fix (now in master).
hopefully fix the indentations.
v3: don't fail piglit, the whole 8/16 dispatch stuff was over
my head, and I spent a while figuring it out, but this one is
definitely safe, one piglit pass extra on my Ironlake.
NOTE: This is a candidate for stable branches.
Signed-off-by: Dave Airlie <airlied at redhat.com>
(cherry picked from commit 0677ea063cd96adefe87c1fb01ef7c66d905535b)
---
src/mesa/drivers/dri/i965/brw_fs.cpp | 15 ++++++++++++++-
src/mesa/drivers/dri/i965/brw_fs.h | 1 +
src/mesa/drivers/dri/i965/brw_fs_visitor.cpp | 1 +
3 files changed, 16 insertions(+), 1 deletions(-)
diff --git a/src/mesa/drivers/dri/i965/brw_fs.cpp b/src/mesa/drivers/dri/i965/brw_fs.cpp
index 45de480..565bc63 100644
--- a/src/mesa/drivers/dri/i965/brw_fs.cpp
+++ b/src/mesa/drivers/dri/i965/brw_fs.cpp
@@ -820,6 +820,7 @@ fs_visitor::import_uniforms(fs_visitor *v)
import_uniforms_callback,
variable_ht);
this->params_remap = v->params_remap;
+ this->nr_params_remap = v->nr_params_remap;
}
/* Our support for uniforms is piggy-backed on the struct
@@ -1492,6 +1493,7 @@ fs_visitor::remove_dead_constants()
{
if (dispatch_width == 8) {
this->params_remap = ralloc_array(mem_ctx, int, c->prog_data.nr_params);
+ this->nr_params_remap = c->prog_data.nr_params;
for (unsigned int i = 0; i < c->prog_data.nr_params; i++)
this->params_remap[i] = -1;
@@ -1506,7 +1508,14 @@ fs_visitor::remove_dead_constants()
if (inst->src[i].file != UNIFORM)
continue;
- assert(constant_nr < (int)c->prog_data.nr_params);
+ /* Section 5.11 of the OpenGL 4.3 spec says:
+ *
+ * "Out-of-bounds reads return undefined values, which include
+ * values from other variables of the active program or zero."
+ */
+ if (constant_nr < 0 || constant_nr >= (int)c->prog_data.nr_params) {
+ constant_nr = 0;
+ }
/* For now, set this to non-negative. We'll give it the
* actual new number in a moment, in order to keep the
@@ -1554,6 +1563,10 @@ fs_visitor::remove_dead_constants()
if (inst->src[i].file != UNIFORM)
continue;
+ /* as above alias to 0 */
+ if (constant_nr < 0 || constant_nr >= (int)this->nr_params_remap) {
+ constant_nr = 0;
+ }
assert(this->params_remap[constant_nr] != -1);
inst->src[i].reg = this->params_remap[constant_nr];
inst->src[i].reg_offset = 0;
diff --git a/src/mesa/drivers/dri/i965/brw_fs.h b/src/mesa/drivers/dri/i965/brw_fs.h
index 36fd0f2..3e52e96 100644
--- a/src/mesa/drivers/dri/i965/brw_fs.h
+++ b/src/mesa/drivers/dri/i965/brw_fs.h
@@ -440,6 +440,7 @@ public:
* uniform index.
*/
int *params_remap;
+ int nr_params_remap;
struct hash_table *variable_ht;
fs_reg frag_depth;
diff --git a/src/mesa/drivers/dri/i965/brw_fs_visitor.cpp b/src/mesa/drivers/dri/i965/brw_fs_visitor.cpp
index 65528d5..004be6d 100644
--- a/src/mesa/drivers/dri/i965/brw_fs_visitor.cpp
+++ b/src/mesa/drivers/dri/i965/brw_fs_visitor.cpp
@@ -2322,6 +2322,7 @@ fs_visitor::fs_visitor(struct brw_context *brw,
this->live_intervals_valid = false;
this->params_remap = NULL;
+ this->nr_params_remap = 0;
this->force_uncompressed_stack = 0;
this->force_sechalf_stack = 0;
More information about the mesa-commit
mailing list