[virglrenderer-devel] Potentially attack surface for virgl_renderer_submit_cmd

Po-Hsien Wang pwang at chromium.org
Wed Jul 18 03:40:46 UTC 2018


Dear all
I'm here to ask the correct way to do about the potential attack surface we
found during our recent fuzzing[1] experiment. During our experiment with
random input to submit_cmd call, we found it is easy to crash as, I
believe, virglrenderer assume all caller submit its cmd based on the caps
advertised. As fuzzing is designed to feed higly random/mutable data into
the command, we try to use it to find potential attack surface of the
system. Thus, problem raised if 'bad' caller can send arbitrary cmd to
virglrender. In this bug report[2], we found that the problem can be easily
crashed by feeding the crash file into the submit_cmd.

I'm wondering would the virglrenderer call fill_caps during init phase and
protect itself before each gl call work? That said, would moving the caps
check from caller to callee a valid way to solve the problem?

[1] libfuzz: https://llvm.org/docs/LibFuzzer.html
[2] https://bugs.chromium.org/p/chromium/issues/detail?id=864689
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/virglrenderer-devel/attachments/20180717/50439591/attachment.html>


More information about the virglrenderer-devel mailing list