Mesa (staging/20.1): st_glsl_to_nir: fix potential use after free
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Wed Jun 17 21:17:58 UTC 2020
Module: Mesa
Branch: staging/20.1
Commit: d552a65be0b8dcec41712b3d25bbac256b14fdd1
URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=d552a65be0b8dcec41712b3d25bbac256b14fdd1
Author: Timothy Arceri <tarceri at itsqueeze.com>
Date: Tue Jun 16 09:35:09 2020 +1000
st_glsl_to_nir: fix potential use after free
When updating the shader info used by GL for the API we must
remember to make sure to restore the pointers to its own name
and label strings. There are a number of ways in which the nir
copy of these strings can be freed before GL is finished with
them.
Fixes: 36be8c2fcf94 ("st/glsl_to_nir: use nir_shader_gather_info()")
Closes: https://gitlab.freedesktop.org/mesa/mesa/-/issues/2875
Reviewed-by: Marek Olšák <marek.olsak at amd.com>
Reviewed-by: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer at amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/5488>
(cherry picked from commit b2e9d21fdd679fba80c358ed7871c30987d10e05)
---
.pick_status.json | 2 +-
src/mesa/state_tracker/st_glsl_to_nir.cpp | 16 ++++++++++++++--
2 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/.pick_status.json b/.pick_status.json
index b55ae721956..4e877f394d3 100644
--- a/.pick_status.json
+++ b/.pick_status.json
@@ -238,7 +238,7 @@
"description": "st_glsl_to_nir: fix potential use after free",
"nominated": true,
"nomination_type": 1,
- "resolution": 0,
+ "resolution": 1,
"master_sha": null,
"because_sha": "36be8c2fcf94f5d800aed6c3d39ef23b226fd0d5"
},
diff --git a/src/mesa/state_tracker/st_glsl_to_nir.cpp b/src/mesa/state_tracker/st_glsl_to_nir.cpp
index d7277f7f5c5..2c5f9597b73 100644
--- a/src/mesa/state_tracker/st_glsl_to_nir.cpp
+++ b/src/mesa/state_tracker/st_glsl_to_nir.cpp
@@ -80,6 +80,19 @@ st_nir_fixup_varying_slots(struct st_context *st, struct exec_list *var_list)
}
}
+static void
+st_shader_gather_info(nir_shader *nir, struct gl_program *prog)
+{
+ nir_shader_gather_info(nir, nir_shader_get_entrypoint(nir));
+
+ /* Copy the info we just generated back into the gl_program */
+ const char *prog_name = prog->info.name;
+ const char *prog_label = prog->info.label;
+ prog->info = nir->info;
+ prog->info.name = prog_name;
+ prog->info.label = prog_label;
+}
+
/* input location assignment for VS inputs must be handled specially, so
* that it is aligned w/ st's vbo state.
* (This isn't the case with, for ex, FS inputs, which only need to agree
@@ -765,8 +778,7 @@ st_link_nir(struct gl_context *ctx,
NIR_PASS_V(nir, nir_lower_system_values);
NIR_PASS_V(nir, nir_lower_clip_cull_distance_arrays);
- nir_shader_gather_info(nir, nir_shader_get_entrypoint(nir));
- shader->Program->info = nir->info;
+ st_shader_gather_info(nir, shader->Program);
if (shader->Stage == MESA_SHADER_VERTEX) {
/* NIR expands dual-slot inputs out to two locations. We need to
* compact things back down GL-style single-slot inputs to avoid
More information about the mesa-commit
mailing list