[Mesa-dev] [PATCH 16/16] gallium/radeon: protect against out of bounds temporary array accesses

Marek Olšák maraeo at gmail.com
Fri Aug 12 18:34:08 UTC 2016 

For the series:

Reviewed-by: Marek Olšák <marek.olsak at amd.com>

Marek

On Wed, Aug 10, 2016 at 9:23 PM, Nicolai Hähnle <nhaehnle at gmail.com> wrote:
> From: Nicolai Hähnle <nicolai.haehnle at amd.com>
>
> They can lead to VM faults and worse, which goes against the GL robustness
> promises.
> ---
>  src/gallium/drivers/radeon/radeon_setup_tgsi_llvm.c | 15 +++++++++++++++
>  1 file changed, 15 insertions(+)
>
> diff --git a/src/gallium/drivers/radeon/radeon_setup_tgsi_llvm.c b/src/gallium/drivers/radeon/radeon_setup_tgsi_llvm.c
> index 7cdf228..88c7b3c 100644
> --- a/src/gallium/drivers/radeon/radeon_setup_tgsi_llvm.c
> +++ b/src/gallium/drivers/radeon/radeon_setup_tgsi_llvm.c
> @@ -232,20 +232,35 @@ get_pointer_into_array(struct radeon_llvm_context *ctx,
>         if (!alloca)
>                 return NULL;
>
>         array = &ctx->temp_arrays[array_id - 1];
>
>         if (!(array->writemask & (1 << swizzle)))
>                 return ctx->undef_alloca;
>
>         index = emit_array_index(&ctx->soa, reg_indirect,
>                                  reg_index - ctx->temp_arrays[array_id - 1].range.First);
> +
> +       /* Ensure that the index is within a valid range, to guard against
> +        * VM faults and overwriting critical data (e.g. spilled resource
> +        * descriptors).
> +        *
> +        * TODO It should be possible to avoid the additional instructions
> +        * if LLVM is changed so that it guarantuees:
> +        * 1. the scratch space descriptor isolates the current wave (this
> +        *    could even save the scratch offset SGPR at the cost of an
> +        *    additional SALU instruction)
> +        * 2. the memory for allocas must be allocated at the _end_ of the
> +        *    scratch space (after spilled registers)
> +        */
> +       index = radeon_llvm_bound_index(ctx, index, array->range.Last - array->range.First + 1);
> +
>         index = LLVMBuildMul(
>                 builder, index,
>                 lp_build_const_int32(gallivm, util_bitcount(array->writemask)),
>                 "");
>         index = LLVMBuildAdd(
>                 builder, index,
>                 lp_build_const_int32(
>                         gallivm,
>                         util_bitcount(array->writemask & ((1 << swizzle) - 1))),
>                 "");
> --
> 2.7.4
>
> _______________________________________________
> mesa-dev mailing list
> mesa-dev at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/mesa-dev

More information about the mesa-dev mailing list