1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
From 5ca7aca001092c557f0b6fc1ba3db7dcdab860b7 Mon Sep 17 00:00:00 2001
From: Gert Wollny <gert.wollny@collabora.com>
Date: Tue, 30 Nov 2021 09:29:42 +0100
Subject: [PATCH 1/2] vrend: clear memory when allocating a host-backed memory
resource
Closes: #249
Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
cherry-pick from anongit.freedesktop.org/virglrenderer
commit b05bb61...
CVE: CVE-2022-0175
Upstream-Status: Backport
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Patch to vrend_renderer.c modified to apply to version used by hardknott.
Patch to test_virgl_transfer.c unchanged.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
---
src/vrend_renderer.c | 2 +-
tests/test_virgl_transfer.c | 51 +++++++++++++++++++++++++++++++++++++
2 files changed, 52 insertions(+), 1 deletion(-)
diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index ad7a351..d84f785 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -6646,7 +6646,7 @@ int vrend_renderer_resource_create(struct vrend_renderer_resource_create_args *a
if (args->bind == VIRGL_BIND_CUSTOM) {
/* use iovec directly when attached */
gr->storage_bits |= VREND_STORAGE_HOST_SYSTEM_MEMORY;
- gr->ptr = malloc(args->width);
+ gr->ptr = calloc(1, args->width);
if (!gr->ptr) {
FREE(gr);
return ENOMEM;
diff --git a/tests/test_virgl_transfer.c b/tests/test_virgl_transfer.c
index 2c8669a..8f8e98a 100644
--- a/tests/test_virgl_transfer.c
+++ b/tests/test_virgl_transfer.c
@@ -952,6 +952,56 @@ START_TEST(virgl_test_transfer_near_res_bounds_with_stride_succeeds)
}
END_TEST
+START_TEST(test_vrend_host_backed_memory_no_data_leak)
+{
+ struct iovec iovs[1];
+ int niovs = 1;
+
+ struct virgl_context ctx = {0};
+
+ int ret = testvirgl_init_ctx_cmdbuf(&ctx);
+
+ struct virgl_renderer_resource_create_args res;
+ res.handle = 0x400;
+ res.target = PIPE_BUFFER;
+ res.format = VIRGL_FORMAT_R8_UNORM;
+ res.nr_samples = 0;
+ res.last_level = 0;
+ res.array_size = 1;
+ res.bind = VIRGL_BIND_CUSTOM;
+ res.depth = 1;
+ res.width = 32;
+ res.height = 1;
+ res.flags = 0;
+
+ uint32_t size = 32;
+ uint8_t* data = calloc(1, size);
+ memset(data, 1, 32);
+ iovs[0].iov_base = data;
+ iovs[0].iov_len = size;
+
+ struct pipe_box box = {0,0,0, size, 1,1};
+
+ virgl_renderer_resource_create(&res, NULL, 0);
+ virgl_renderer_ctx_attach_resource(ctx.ctx_id, res.handle);
+
+ ret = virgl_renderer_transfer_read_iov(res.handle, ctx.ctx_id, 0, 0, 0,
+ (struct virgl_box *)&box, 0, iovs, niovs);
+
+ ck_assert_int_eq(ret, 0);
+
+ for (int i = 0; i < 32; ++i)
+ ck_assert_int_eq(data[i], 0);
+
+ virgl_renderer_ctx_detach_resource(1, res.handle);
+
+ virgl_renderer_resource_unref(res.handle);
+ free(data);
+
+}
+END_TEST
+
+
static Suite *virgl_init_suite(void)
{
Suite *s;
@@ -981,6 +1031,7 @@ static Suite *virgl_init_suite(void)
tcase_add_test(tc_core, virgl_test_transfer_buffer_bad_strides);
tcase_add_test(tc_core, virgl_test_transfer_2d_array_bad_layer_stride);
tcase_add_test(tc_core, virgl_test_transfer_2d_bad_level);
+ tcase_add_test(tc_core, test_vrend_host_backed_memory_no_data_leak);
tcase_add_loop_test(tc_core, virgl_test_transfer_res_read_valid, 0, PIPE_MAX_TEXTURE_TYPES);
tcase_add_loop_test(tc_core, virgl_test_transfer_res_write_valid, 0, PIPE_MAX_TEXTURE_TYPES);
--
2.31.1
|
