[Mesa-dev] [PATCH 19/19] gallium/radeon: protect against out of bounds temporary array accesses

[Nicolai Hähnle]

From: Nicolai Hähnle <nicolai.haehnle at amd.com>

They can lead to VM faults and worse, which goes against the GL robustness
promises.
---
 src/gallium/drivers/radeon/radeon_setup_tgsi_llvm.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/gallium/drivers/radeon/radeon_setup_tgsi_llvm.c b/src/gallium/drivers/radeon/radeon_setup_tgsi_llvm.c
index e3b04ee..6a010d5 100644
--- a/src/gallium/drivers/radeon/radeon_setup_tgsi_llvm.c
+++ b/src/gallium/drivers/radeon/radeon_setup_tgsi_llvm.c
@@ -220,20 +220,35 @@ get_pointer_into_array(struct radeon_llvm_context *ctx,
 	LLVMValueRef index;
 
 	if (file != TGSI_FILE_TEMPORARY)
 		return NULL;
 
 	array = get_temp_array(&ctx->soa.bld_base, reg_index, reg_indirect);
 	if (!array || !array->alloca)
 		return NULL;
 
 	index = emit_array_index(&ctx->soa, reg_indirect, reg_index - array->range.First);
+
+	/* Ensure that the index is within a valid range, to guard against
+	 * VM faults and overwriting critical data (e.g. spilled resource
+	 * descriptors).
+	 *
+	 * TODO It should be possible to avoid the additional instructions
+	 * if LLVM is changed so that it guarantuees:
+	 * 1. the scratch space descriptor isolates the current wave (this
+	 *    could even save the scratch offset SGPR at the cost of an
+	 *    additional SALU instruction)
+	 * 2. the memory for allocas must be allocated at the _end_ of the
+	 *    scratch space (after spilled registers)
+	 */
+	index = radeon_llvm_bound_index(ctx, index, array->range.Last - array->range.First + 1);
+
 	index = LLVMBuildMul(
 		builder, index,
 		lp_build_const_int32(gallivm, util_bitcount(array->usagemask)),
 		"");
 	index = LLVMBuildAdd(
 		builder, index,
 		lp_build_const_int32(
 			gallivm,
 			util_bitcount(array->usagemask & ((1 << swizzle) - 1))),
 		"");
-- 
2.7.4