[virglrenderer-devel] Potentially attack surface for virgl_renderer_submit_cmd

Dave Airlie airlied at gmail.com
Wed Jul 18 04:13:31 UTC 2018

On 18 July 2018 at 13:40, Po-Hsien Wang <pwang at chromium.org> wrote:
> Dear all
> I'm here to ask the correct way to do about the potential attack surface we
> found during our recent fuzzing[1] experiment. During our experiment with
> random input to submit_cmd call, we found it is easy to crash as, I believe,
> virglrenderer assume all caller submit its cmd based on the caps advertised.
> As fuzzing is designed to feed higly random/mutable data into the command,
> we try to use it to find potential attack surface of the system. Thus,
> problem raised if 'bad' caller can send arbitrary cmd to virglrender. In
> this bug report[2], we found that the problem can be easily crashed by
> feeding the crash file into the submit_cmd.

We've started using the have_ to avoid gl calls when the caps aren't advertised.

I suspect we need to fix up some of the older ones like the cond render one.


> I'm wondering would the virglrenderer call fill_caps during init phase and
> protect itself before each gl call work? That said, would moving the caps
> check from caller to callee a valid way to solve the problem?
> [1] libfuzz: https://llvm.org/docs/LibFuzzer.html
> [2] https://bugs.chromium.org/p/chromium/issues/detail?id=864689
> _______________________________________________
> virglrenderer-devel mailing list
> virglrenderer-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/virglrenderer-devel

More information about the virglrenderer-devel mailing list