some bug report
lcatro at sina.cn
lcatro at sina.cn
Thu Oct 21 08:54:27 UTC 2021
Bug1 : vrend_clear_texture NULL-points reference
AddressSanitizer:DEADLYSIGNAL===================================================================135004==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000014 (pc 0x0000004e998b bp 0x7fff76493e70 sp 0x7fff76493e30 T0)==135004==The signal is caused by a READ memory access.==135004==Hint: address points to the zero page. #0 0x4e998b in vrend_clear_texture /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_renderer.c:4055:39 #1 0x4d7f7f in vrend_decode_clear_texture /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_decode.c:232:4 #2 0x4cfcdd in vrend_decode_ctx_submit_cmd /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_decode.c:1706:13 #3 0x4c9561 in main /home/fuzzing/Desktop/virglrenderer-master/build/../src/crash_vrend_decode_clear_texture.c:90:3 #4 0x7f8dc7f220b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #5 0x4215ad in _start (/home/fuzzing/Desktop/virglrenderer-master/build/src/crash_vrend_decode_clear_texture+0x4215ad)
AddressSanitizer can not provide additional info.SUMMARY: AddressSanitizer: SEGV /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_renderer.c:4055:39 in vrend_clear_texture==135004==ABORTING
Bug Code ===> https://github.com/freedesktop/virglrenderer/blob/2a5fb800c6b0ce15ad37c2c698635e3e2d27b37c/src/vrend_renderer.c#L4056
if (handle) res = vrend_renderer_ctx_res_lookup(ctx, handle); /// if not found content handle ,it will return NULL else { vrend_printf( "cannot find resource for handle %d\n", handle); return; } enum virgl_formats fmt = res->base.format; /// reference the NULL point
Bug2 : vrend_set_single_image_view Out-of-Bound Read==117045==ERROR: AddressSanitizer: SEGV on unknown address 0x00016481bac4 (pc 0x0000004e51c3 bp 0x7ffc48c01a40 sp 0x7ffc48c01a00 T0)==117045==The signal is caused by a READ memory access. #0 0x4e5433 in vrend_set_single_image_view /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_renderer.c:3226:46 #1 0x4d69cd in vrend_decode_set_shader_images /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_decode.c:1273:7 #2 0x4cfe0d in vrend_decode_ctx_submit_cmd /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_decode.c:1706:13 #3 0x4c9668 in main /home/fuzzing/Desktop/virglrenderer-master/build/../src/crash_vrend_decode_set_shader_images.c:109:3 #4 0x7f0c305640b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #5 0x4215ad in _start (/home/fuzzing/Desktop/virglrenderer-master/build/src/crash_vrend_decode_set_shader_images+0x4215ad)
Bug Code ===> https://github.com/freedesktop/virglrenderer/blob/2a5fb800c6b0ce15ad37c2c698635e3e2d27b37c/src/vrend_renderer.c#L3232
static int vrend_decode_set_shader_images(struct vrend_context *ctx, const uint32_t *buf, uint32_t length) { /// .... uint32_t format = get_buf_entry(buf, VIRGL_SET_SHADER_IMAGE_FORMAT(i)); /// .... vrend_set_single_image_view(..., format,...); }
vrend_set_single_image_view( ... uint32_t format ...) { /// .... iview->texture = res; iview->format = tex_conv_table[format].internalformat; /// OOB-Read iview->access = access; /// .... }
Bug3 : vrend_renderer_get_meminfo NULL-points reference==140734==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000052247b bp 0x7ffcbbeee8e0 sp 0x7ffcbbeee800 T0)==140734==The signal is caused by a READ memory access.==140734==Hint: address points to the zero page. #0 0x52247b in vrend_renderer_get_meminfo /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_renderer.c:11480:49 #1 0x4d9129 in vrend_decode_get_memory_info /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_decode.c:1570:4 #2 0x4cfdbd in vrend_decode_ctx_submit_cmd /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_decode.c:1706:13 #3 0x4c9608 in main /home/fuzzing/Desktop/virglrenderer-master/build/../src/crash_vrend_renderer_get_meminfo.c:97:3 #4 0x7f2aaab570b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #5 0x4215ad in _start (/home/fuzzing/Desktop/virglrenderer-master/build/src/crash_vrend_renderer_get_meminfo+0x4215ad)
Bug Code ===> https://github.com/freedesktop/virglrenderer/blob/2a5fb800c6b0ce15ad37c2c698635e3e2d27b37c/src/vrend_renderer.c#L11521
res = vrend_renderer_ctx_res_lookup(ctx, res_handle); if (!res) { vrend_report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_RESOURCE, res_handle); return; }
info = (struct virgl_memory_info *)res->iov->iov_base; /// forget check res->iov point
In qemu source ,virgl_renderer_resource_create() will put parameter iov is NULL Value.(Qemu Code https://github.com/qemu/qemu/blob/afc9fcde55296b83f659de9da3cdf044812a6eeb/hw/display/virtio-gpu-virgl.c#L45)
static void virgl_cmd_create_resource_2d(VirtIOGPU *g, struct virtio_gpu_ctrl_command *cmd) { ///... args.flags = VIRTIO_GPU_RESOURCE_FLAG_Y_0_TOP; virgl_renderer_resource_create(&args, NULL, 0); }
https://github.com/freedesktop/virglrenderer/blob/2a5fb800c6b0ce15ad37c2c698635e3e2d27b37c/src/vrend_renderer.c#L6938
Bug4 : Out-of-Memory in vrend_create_buffer
There are tow trigger Code.==121218== ERROR: libFuzzer: out-of-memory (malloc(4228448304)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52bf01 in __sanitizer_print_stack_trace (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x52bf01) #1 0x477058 in fuzzer::PrintStackTrace() (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x477058) #2 0x45b385 in fuzzer::Fuzzer::HandleMalloc(unsigned long) (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x45b385) #3 0x45b29a in fuzzer::MallocHook(void const volatile*, unsigned long) (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x45b29a) #4 0x532227 in __sanitizer::RunMallocHooks(void const*, unsigned long) (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x532227) #5 0x4ac8e1 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x4ac8e1) #6 0x4ad055 in __asan::asan_posix_memalign(void**, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x4ad055) #7 0x523ecb in posix_memalign (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x523ecb) #8 0x7fed343e9924 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x7fe924) #9 0x7fed33d92539 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x1a7539) #10 0x7fed33e14c2e (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x229c2e) #11 0x7fed33e1736f (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x22c36f) #12 0x5a2509 in vrend_create_buffer /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_renderer.c:6976:7 glBufferData #13 0x5a2509 in vrend_resource_alloc_buffer /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_renderer.c:7031:7 #14 0x5a2509 in vrend_renderer_resource_create /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_renderer.c:7336:13 #15 0x627b50 in virgl_renderer_resource_create_internal /home/fuzzing/Desktop/virglrenderer-master/build/../src/virglrenderer.c:93:15 #16 0x5536f1 in LLVMFuzzerTestOneInput /home/fuzzing/Desktop/virglrenderer-master/build/../src/virgl_fuzzer.c:241:10 #17 0x45d861 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x45d861) #18 0x448fd2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x448fd2) #19 0x44ea86 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x44ea86) #20 0x477742 in main (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x477742) #21 0x7fed38e280b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #22 0x42369d in _start (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x42369d)
==121218== ERROR: libFuzzer: out-of-memory (malloc(4228448304)) To change the out-of-memory limit use -rss_limit_mb=<N> #12 0x5a2509 in vrend_create_buffer /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_renderer.c:6933: glBufferStorage #13 0x5a2509 in vrend_resource_alloc_buffer /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_renderer.c:7031:7 #14 0x5a2509 in vrend_renderer_resource_create /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_renderer.c:7336:13 #15 0x627b50 in virgl_renderer_resource_create_internal /home/fuzzing/Desktop/virglrenderer-master/build/../src/virglrenderer.c:93:15 #16 0x5536f1 in LLVMFuzzerTestOneInput /home/fuzzing/Desktop/virglrenderer-master/build/../src/virgl_fuzzer.c:241:10 #17 0x45d861 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x45d861) #18 0x448fd2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x448fd2) #19 0x44ea86 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x44ea86) #20 0x477742 in main (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x477742) #21 0x7fed38e280b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #22 0x42369d in _start (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x42369d)
Bug Point: https://github.com/freedesktop/virglrenderer/blob/2a5fb800c6b0ce15ad37c2c698635e3e2d27b37c/src/vrend_renderer.c#L6938 https://github.com/freedesktop/virglrenderer/blob/2a5fb800c6b0ce15ad37c2c698635e3e2d27b37c/src/vrend_renderer.c#L6983
parameter width is guest user control .
Bug5 : Out-of-Bound Read in tgsi_text_translate()==356346==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000001a at pc 0x0000004c9806 bp 0x7ffcb3e04ad0 sp 0x7ffcb3e04ac8READ of size 1 at 0x60200000001a thread T0 #0 0x4c9805 in eat_opt_white /home/fuzzing/Desktop/virglrenderer-master/build/../src/gallium/auxiliary/tgsi/tgsi_text.c:170:11 #1 0x4c9805 in translate /home/fuzzing/Desktop/virglrenderer-master/build/../src/gallium/auxiliary/tgsi/tgsi_text.c:1828:4 #2 0x4d260e in tgsi_text_translate /home/fuzzing/Desktop/virglrenderer-master/build/../src/gallium/auxiliary/tgsi/tgsi_text.c:1883:9 #3 0x4d260e in main /home/fuzzing/Desktop/virglrenderer-master/build/../src/crash_eat_opt_white.c:25:5 #4 0x7ff3d4d960b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #5 0x4215ad in _start (/home/fuzzing/Desktop/virglrenderer-master/build/src/crash_eat_opt_white+0x4215ad)
Bug Point: https://github.com/freedesktop/virglrenderer/blob/86eb26ee82ba9058cdccc3ece47fb02d3a167e36/src/gallium/auxiliary/tgsi/tgsi_text.c#L170
static void eat_opt_white( const char **pcur ) { while (**pcur == ' ' || **pcur == '\t' || **pcur == '\n') /// <<< forget check shader_text length (*pcur)++; }
similar bug in tgis parse_immediate_data
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/virglrenderer-devel/attachments/20211021/d08146f8/attachment-0001.htm>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: crash_eat_opt_white.c
URL: <https://lists.freedesktop.org/archives/virglrenderer-devel/attachments/20211021/d08146f8/attachment-0007.c>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: crash_parse_immediate_data.c
URL: <https://lists.freedesktop.org/archives/virglrenderer-devel/attachments/20211021/d08146f8/attachment-0008.c>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: crash_vrend_decode_clear_texture.c
URL: <https://lists.freedesktop.org/archives/virglrenderer-devel/attachments/20211021/d08146f8/attachment-0009.c>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: crash_vrend_decode_set_shader_images.c
URL: <https://lists.freedesktop.org/archives/virglrenderer-devel/attachments/20211021/d08146f8/attachment-0010.c>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: crash_vrend_renderer_get_meminfo.c
URL: <https://lists.freedesktop.org/archives/virglrenderer-devel/attachments/20211021/d08146f8/attachment-0011.c>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: oom_vrend_renderer_resource_create.c
URL: <https://lists.freedesktop.org/archives/virglrenderer-devel/attachments/20211021/d08146f8/attachment-0012.c>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: oom_vrend_renderer_resource_create_2.c
URL: <https://lists.freedesktop.org/archives/virglrenderer-devel/attachments/20211021/d08146f8/attachment-0013.c>
More information about the virglrenderer-devel
mailing list