<div><div><br></div><div>Bug1 : vrend_clear_texture NULL-points reference</div><div><br></div><div>AddressSanitizer:DEADLYSIGNAL</div><div>=================================================================</div><div>==135004==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000014 (pc 0x0000004e998b bp 0x7fff76493e70 sp 0x7fff76493e30 T0)</div><div>==135004==The signal is caused by a READ memory access.</div><div>==135004==Hint: address points to the zero page.</div><div>    #0 0x4e998b in vrend_clear_texture /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_renderer.c:4055:39</div><div>    #1 0x4d7f7f in vrend_decode_clear_texture /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_decode.c:232:4</div><div>    #2 0x4cfcdd in vrend_decode_ctx_submit_cmd /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_decode.c:1706:13</div><div>    #3 0x4c9561 in main /home/fuzzing/Desktop/virglrenderer-master/build/../src/crash_vrend_decode_clear_texture.c:90:3</div><div>    #4 0x7f8dc7f220b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16</div><div>    #5 0x4215ad in _start (/home/fuzzing/Desktop/virglrenderer-master/build/src/crash_vrend_decode_clear_texture+0x4215ad)</div><div><br></div><div>AddressSanitizer can not provide additional info.</div><div>SUMMARY: AddressSanitizer: SEGV /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_renderer.c:4055:39 in vrend_clear_texture</div><div>==135004==ABORTING</div><div><br></div><div>Bug Code ===> https://github.com/freedesktop/virglrenderer/blob/2a5fb800c6b0ce15ad37c2c698635e3e2d27b37c/src/vrend_renderer.c#L4056</div><div><br></div><div>   if (handle)</div><div>      res = vrend_renderer_ctx_res_lookup(ctx, handle);  ///  if not found content handle ,it will return NULL</div><div>   else {</div><div>      vrend_printf( "cannot find resource for handle %d\n", handle);</div><div>      return;</div><div>   }</div><div>   enum virgl_formats fmt = res->base.format;   ///  reference the NULL point</div><div><br></div><div><br></div><div><br></div><div><br></div><div>Bug2 : vrend_set_single_image_view Out-of-Bound Read</div><div>==117045==ERROR: AddressSanitizer: SEGV on unknown address 0x00016481bac4 (pc 0x0000004e51c3 bp 0x7ffc48c01a40 sp 0x7ffc48c01a00 T0)</div><div>==117045==The signal is caused by a READ memory access.</div><div>    #0 0x4e5433 in vrend_set_single_image_view /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_renderer.c:3226:46</div><div>    #1 0x4d69cd in vrend_decode_set_shader_images /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_decode.c:1273:7</div><div>    #2 0x4cfe0d in vrend_decode_ctx_submit_cmd /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_decode.c:1706:13</div><div>    #3 0x4c9668 in main /home/fuzzing/Desktop/virglrenderer-master/build/../src/crash_vrend_decode_set_shader_images.c:109:3</div><div>    #4 0x7f0c305640b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16</div><div>    #5 0x4215ad in _start (/home/fuzzing/Desktop/virglrenderer-master/build/src/crash_vrend_decode_set_shader_images+0x4215ad)</div><div><br></div><div>Bug Code ===> https://github.com/freedesktop/virglrenderer/blob/2a5fb800c6b0ce15ad37c2c698635e3e2d27b37c/src/vrend_renderer.c#L3232</div><div><br></div><div>    static int vrend_decode_set_shader_images(struct vrend_context *ctx, const uint32_t *buf, uint32_t length) {</div><div>        /// ....</div><div>        uint32_t format = get_buf_entry(buf, VIRGL_SET_SHADER_IMAGE_FORMAT(i));</div><div>        /// ....</div><div>        vrend_set_single_image_view(..., format,...);</div><div>    }</div><div><br></div><div>    vrend_set_single_image_view( ...   uint32_t format  ...) {</div><div>        /// ....</div><div>        iview->texture = res;</div><div>        iview->format = tex_conv_table[format].internalformat;  ///   OOB-Read</div><div>        iview->access = access;</div><div>        /// ....</div><div>    }</div><div><br></div><div><br></div><div><br></div><div><br></div><div>Bug3 : vrend_renderer_get_meminfo NULL-points reference</div><div>==140734==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000052247b bp 0x7ffcbbeee8e0 sp 0x7ffcbbeee800 T0)</div><div>==140734==The signal is caused by a READ memory access.</div><div>==140734==Hint: address points to the zero page.</div><div>    #0 0x52247b in vrend_renderer_get_meminfo /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_renderer.c:11480:49</div><div>    #1 0x4d9129 in vrend_decode_get_memory_info /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_decode.c:1570:4</div><div>    #2 0x4cfdbd in vrend_decode_ctx_submit_cmd /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_decode.c:1706:13</div><div>    #3 0x4c9608 in main /home/fuzzing/Desktop/virglrenderer-master/build/../src/crash_vrend_renderer_get_meminfo.c:97:3</div><div>    #4 0x7f2aaab570b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16</div><div>    #5 0x4215ad in _start (/home/fuzzing/Desktop/virglrenderer-master/build/src/crash_vrend_renderer_get_meminfo+0x4215ad)</div><div><br></div><div>Bug Code ===> https://github.com/freedesktop/virglrenderer/blob/2a5fb800c6b0ce15ad37c2c698635e3e2d27b37c/src/vrend_renderer.c#L11521</div><div><br></div><div>    res = vrend_renderer_ctx_res_lookup(ctx, res_handle);</div><div>    if (!res) {</div><div>    vrend_report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_RESOURCE, res_handle);</div><div>    return;</div><div>    }</div><div><br></div><div>    info = (struct virgl_memory_info *)res->iov->iov_base;  ///  forget check res->iov point</div><div><br></div><div>In qemu source ,virgl_renderer_resource_create() will put parameter iov is NULL Value.(Qemu Code https://github.com/qemu/qemu/blob/afc9fcde55296b83f659de9da3cdf044812a6eeb/hw/display/virtio-gpu-virgl.c#L45)</div><div><br></div><div>    static void virgl_cmd_create_resource_2d(VirtIOGPU *g,</div><div>                                            struct virtio_gpu_ctrl_command *cmd)</div><div>    {</div><div>        ///...</div><div>        args.flags = VIRTIO_GPU_RESOURCE_FLAG_Y_0_TOP;</div><div>        virgl_renderer_resource_create(&args, NULL, 0);</div><div>    }</div><div><br></div><div><br></div><div>    https://github.com/freedesktop/virglrenderer/blob/2a5fb800c6b0ce15ad37c2c698635e3e2d27b37c/src/vrend_renderer.c#L6938</div><div><br></div><div><br></div><div><br></div><div><br></div><div>Bug4 : Out-of-Memory in vrend_create_buffer</div><div><br></div><div>There are tow trigger Code.</div><div>==121218== ERROR: libFuzzer: out-of-memory (malloc(4228448304))</div><div>   To change the out-of-memory limit use -rss_limit_mb=<N></div><div>    #0 0x52bf01 in __sanitizer_print_stack_trace (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x52bf01)</div><div>    #1 0x477058 in fuzzer::PrintStackTrace() (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x477058)</div><div>    #2 0x45b385 in fuzzer::Fuzzer::HandleMalloc(unsigned long) (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x45b385)</div><div>    #3 0x45b29a in fuzzer::MallocHook(void const volatile*, unsigned long) (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x45b29a)</div><div>    #4 0x532227 in __sanitizer::RunMallocHooks(void const*, unsigned long) (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x532227)</div><div>    #5 0x4ac8e1 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x4ac8e1)</div><div>    #6 0x4ad055 in __asan::asan_posix_memalign(void**, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x4ad055)</div><div>    #7 0x523ecb in posix_memalign (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x523ecb)</div><div>    #8 0x7fed343e9924  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x7fe924)</div><div>    #9 0x7fed33d92539  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x1a7539)</div><div>    #10 0x7fed33e14c2e  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x229c2e)</div><div>    #11 0x7fed33e1736f  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x22c36f)</div><div>    #12 0x5a2509 in vrend_create_buffer /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_renderer.c:6976:7       glBufferData</div><div>    #13 0x5a2509 in vrend_resource_alloc_buffer /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_renderer.c:7031:7</div><div>    #14 0x5a2509 in vrend_renderer_resource_create /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_renderer.c:7336:13</div><div>    #15 0x627b50 in virgl_renderer_resource_create_internal /home/fuzzing/Desktop/virglrenderer-master/build/../src/virglrenderer.c:93:15</div><div>    #16 0x5536f1 in LLVMFuzzerTestOneInput /home/fuzzing/Desktop/virglrenderer-master/build/../src/virgl_fuzzer.c:241:10</div><div>    #17 0x45d861 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x45d861)</div><div>    #18 0x448fd2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x448fd2)</div><div>    #19 0x44ea86 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x44ea86)</div><div>    #20 0x477742 in main (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x477742)</div><div>    #21 0x7fed38e280b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16</div><div>    #22 0x42369d in _start (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x42369d)</div><div><br></div><div><br></div><div>==121218== ERROR: libFuzzer: out-of-memory (malloc(4228448304))</div><div>   To change the out-of-memory limit use -rss_limit_mb=<N></div><div>    #12 0x5a2509 in vrend_create_buffer /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_renderer.c:6933:        glBufferStorage</div><div>    #13 0x5a2509 in vrend_resource_alloc_buffer /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_renderer.c:7031:7</div><div>    #14 0x5a2509 in vrend_renderer_resource_create /home/fuzzing/Desktop/virglrenderer-master/build/../src/vrend_renderer.c:7336:13</div><div>    #15 0x627b50 in virgl_renderer_resource_create_internal /home/fuzzing/Desktop/virglrenderer-master/build/../src/virglrenderer.c:93:15</div><div>    #16 0x5536f1 in LLVMFuzzerTestOneInput /home/fuzzing/Desktop/virglrenderer-master/build/../src/virgl_fuzzer.c:241:10</div><div>    #17 0x45d861 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x45d861)</div><div>    #18 0x448fd2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x448fd2)</div><div>    #19 0x44ea86 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x44ea86)</div><div>    #20 0x477742 in main (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x477742)</div><div>    #21 0x7fed38e280b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16</div><div>    #22 0x42369d in _start (/home/fuzzing/Desktop/virglrenderer-master/build/src/virgl_fuzzer+0x42369d)</div><div><br></div><div>Bug Point:</div><div>    https://github.com/freedesktop/virglrenderer/blob/2a5fb800c6b0ce15ad37c2c698635e3e2d27b37c/src/vrend_renderer.c#L6938</div><div>    https://github.com/freedesktop/virglrenderer/blob/2a5fb800c6b0ce15ad37c2c698635e3e2d27b37c/src/vrend_renderer.c#L6983</div><div><br></div><div>    parameter width is guest user control .</div><div><br></div><div><br></div><div><br></div><div><br></div><div>Bug5 : Out-of-Bound Read in tgsi_text_translate()</div><div>==356346==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000001a at pc 0x0000004c9806 bp 0x7ffcb3e04ad0 sp 0x7ffcb3e04ac8</div><div>READ of size 1 at 0x60200000001a thread T0</div><div>    #0 0x4c9805 in eat_opt_white /home/fuzzing/Desktop/virglrenderer-master/build/../src/gallium/auxiliary/tgsi/tgsi_text.c:170:11</div><div>    #1 0x4c9805 in translate /home/fuzzing/Desktop/virglrenderer-master/build/../src/gallium/auxiliary/tgsi/tgsi_text.c:1828:4</div><div>    #2 0x4d260e in tgsi_text_translate /home/fuzzing/Desktop/virglrenderer-master/build/../src/gallium/auxiliary/tgsi/tgsi_text.c:1883:9</div><div>    #3 0x4d260e in main /home/fuzzing/Desktop/virglrenderer-master/build/../src/crash_eat_opt_white.c:25:5</div><div>    #4 0x7ff3d4d960b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16</div><div>    #5 0x4215ad in _start (/home/fuzzing/Desktop/virglrenderer-master/build/src/crash_eat_opt_white+0x4215ad)</div><div><br></div><div>Bug Point:</div><div>    https://github.com/freedesktop/virglrenderer/blob/86eb26ee82ba9058cdccc3ece47fb02d3a167e36/src/gallium/auxiliary/tgsi/tgsi_text.c#L170</div><div><br></div><div>    static void eat_opt_white( const char **pcur )</div><div>    {</div><div>    while (**pcur == ' ' || **pcur == '\t' || **pcur == '\n')   ///   <<<  forget check shader_text length</div><div>        (*pcur)++;</div><div>    }</div><div><br></div><div>similar bug in tgis parse_immediate_data</div></div><div><br></div>