[virglrenderer-devel] Potentially attack surface for virgl_renderer_submit_cmd

Po-Hsien Wang pwang at chromium.org
Wed Jul 18 20:17:34 UTC 2018

Hi Dave,
Thanks for pointing this out. I'm not aware of those variable and looks
into the fill_caps path as I think most caller use this to determine its
Based on briefly examination, it seems those have_ variable is initialized
in a similar way as fill_caps. I'm wondering why we did this in two
different code path? Is there a specific reason for this?

On Tue, Jul 17, 2018 at 9:13 PM Dave Airlie <airlied at gmail.com> wrote:

> On 18 July 2018 at 13:40, Po-Hsien Wang <pwang at chromium.org> wrote:
> > Dear all
> > I'm here to ask the correct way to do about the potential attack surface
> we
> > found during our recent fuzzing[1] experiment. During our experiment with
> > random input to submit_cmd call, we found it is easy to crash as, I
> believe,
> > virglrenderer assume all caller submit its cmd based on the caps
> advertised.
> > As fuzzing is designed to feed higly random/mutable data into the
> command,
> > we try to use it to find potential attack surface of the system. Thus,
> > problem raised if 'bad' caller can send arbitrary cmd to virglrender. In
> > this bug report[2], we found that the problem can be easily crashed by
> > feeding the crash file into the submit_cmd.
> We've started using the have_ to avoid gl calls when the caps aren't
> advertised.
> I suspect we need to fix up some of the older ones like the cond render
> one.
> Dave.
> >
> > I'm wondering would the virglrenderer call fill_caps during init phase
> and
> > protect itself before each gl call work? That said, would moving the caps
> > check from caller to callee a valid way to solve the problem?
> >
> > [1] libfuzz: https://llvm.org/docs/LibFuzzer.html
> > [2] https://bugs.chromium.org/p/chromium/issues/detail?id=864689
> >
> > _______________________________________________
> > virglrenderer-devel mailing list
> > virglrenderer-devel at lists.freedesktop.org
> > https://lists.freedesktop.org/mailman/listinfo/virglrenderer-devel
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/virglrenderer-devel/attachments/20180718/1f5cda3b/attachment.html>

More information about the virglrenderer-devel mailing list