[virglrenderer-devel] [PATCH] vrend_render: fix decode edge cases.

Po-Hsien Wang pwang at chromium.org
Tue Jul 10 21:12:48 UTC 2018 

Thanks for checking it.
This is found by feeding the following crash file directly to
virgl_renderer_submit_cmd. The input is generated randomly by fuzzing
process

On Mon, Jul 9, 2018 at 3:25 PM Dave Airlie <airlied at gmail.com> wrote:

> On 21 June 2018 at 09:56, Po-Hsien Wang <pwang at chromium.org> wrote:
> > ---
> >  src/vrend_decode.c   | 3 ++-
> >  src/vrend_renderer.c | 3 ++-
> >  2 files changed, 4 insertions(+), 2 deletions(-)
> >
> > diff --git a/src/vrend_decode.c b/src/vrend_decode.c
> > index d50f385..8793668 100644
> > --- a/src/vrend_decode.c
> > +++ b/src/vrend_decode.c
> > @@ -295,7 +295,8 @@ static int vrend_decode_set_sampler_views(struct
> vrend_decode_ctx *ctx, uint16_t
> >        return EINVAL;
> >
> >     if (num_samps > PIPE_MAX_SHADER_SAMPLER_VIEWS ||
> > -       start_slot > (PIPE_MAX_SHADER_SAMPLER_VIEWS - num_samps))
> > +       start_slot > (PIPE_MAX_SHADER_SAMPLER_VIEWS - num_samps) ||
> > +       start_slot < 0)
> >        return EINVAL;
>
> I've sent a better fix for this, please review it.
> https://patchwork.freedesktop.org/series/46222/
>
> >        view = vrend_object_lookup(ctx->sub->object_hash, handle,
> VIRGL_OBJECT_SAMPLER_VIEW);
> >        if (!view) {
> > -         ctx->sub->views[shader_type].views[index] = NULL;
> > +         if (index < ctx->sub->views[shader_type].num_views)
> > +            ctx->sub->views[shader_type].views[index] = NULL;
>
> Why is this necessary, we've already confirmed the index should be
> within the bounds of the
> memory allocated, avoiding a NULL write to somewhere doesn't really
> save us anything
> or make it more secure.
>

Yeah, you are right. This is not needed anymore if we handle it uint32.


> Dave.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/virglrenderer-devel/attachments/20180710/87f2d8a2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: crash-46297169297ef66c5ff642f5dc894d7976fd1d6f
Type: application/octet-stream
Size: 28 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/virglrenderer-devel/attachments/20180710/87f2d8a2/attachment.obj>

More information about the virglrenderer-devel mailing list