Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package virglrenderer for openSUSE:Factory checked in at 2022-02-06 23:53:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/virglrenderer (Old) and /work/SRC/openSUSE:Factory/.virglrenderer.new.1898 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "virglrenderer" Sun Feb 6 23:53:22 2022 rev:15 rq:950889 version:0.9.1 Changes: -------- --- /work/SRC/openSUSE:Factory/virglrenderer/virglrenderer.changes 2022-01-23 12:16:37.720090719 +0100 +++ /work/SRC/openSUSE:Factory/.virglrenderer.new.1898/virglrenderer.changes 2022-02-06 23:53:26.995153258 +0100 @@ -1,0 +2,7 @@ +Wed Feb 2 09:33:17 UTC 2022 - Michael Vetter <mvet...@suse.com> + +- security update + * Fix OOB in read_transfer_data() (CVE-2022-0135 bsc#1195389) + Add virglrenderer-CVE-2022-0135.patch + +------------------------------------------------------------------- New: ---- virglrenderer-CVE-2022-0135.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ virglrenderer.spec ++++++ --- /var/tmp/diff_new_pack.UilIih/_old 2022-02-06 23:53:29.151138882 +0100 +++ /var/tmp/diff_new_pack.UilIih/_new 2022-02-06 23:53:29.155138856 +0100 @@ -27,6 +27,8 @@ Source0: https://gitlab.freedesktop.org/virgl/%{name}/-/archive/%{name}-%{version}/%{name}-%{name}-%{version}.tar.gz # CVE-2022-0175 [bsc#1194601], VUL-0: CVE-2022-0175: virglrenderer: Missing initialization of res->ptr Patch0: virglrenderer-CVE-2022-0175.patch +# CVE-2022-0135 [bsc#1195389], VUL-0: CVE-2022-0135: virglrenderer: out-of-bounds write in read_transfer_data() +Patch1: virglrenderer-CVE-2022-0135.patch BuildRequires: Mesa-devel BuildRequires: meson >= 0.46 BuildRequires: pkgconfig >= 0.9.0 @@ -73,6 +75,7 @@ %prep %setup -q -n %{name}-%{name}-%{version} %patch0 -p1 +%patch1 -p1 %build %meson ++++++ virglrenderer-CVE-2022-0135.patch ++++++ Index: virglrenderer-virglrenderer-0.9.1/src/vrend_renderer.c =================================================================== --- virglrenderer-virglrenderer-0.9.1.orig/src/vrend_renderer.c +++ virglrenderer-virglrenderer-0.9.1/src/vrend_renderer.c @@ -7568,8 +7568,11 @@ static int vrend_renderer_transfer_write info->box->height) * elsize; if (res->target == GL_TEXTURE_3D || res->target == GL_TEXTURE_2D_ARRAY || + res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY || res->target == GL_TEXTURE_CUBE_MAP_ARRAY) send_size *= info->box->depth; + else if (need_temp && info->box->depth != 1) + return EINVAL; if (need_temp) { data = malloc(send_size); Index: virglrenderer-virglrenderer-0.9.1/tests/test_fuzzer_formats.c =================================================================== --- virglrenderer-virglrenderer-0.9.1.orig/tests/test_fuzzer_formats.c +++ virglrenderer-virglrenderer-0.9.1/tests/test_fuzzer_formats.c @@ -958,6 +958,48 @@ static void test_vrend_set_signle_abo_he virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde); } +/* Test adapted from yaojun8558...@gmail.com: + * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250 + */ +static void test_vrend_3d_resource_overflow() { + + struct virgl_renderer_resource_create_args resource; + resource.handle = 0x4c474572; + resource.target = PIPE_TEXTURE_2D_ARRAY; + resource.format = VIRGL_FORMAT_Z24X8_UNORM; + resource.nr_samples = 2; + resource.last_level = 0; + resource.array_size = 3; + resource.bind = VIRGL_BIND_SAMPLER_VIEW; + resource.depth = 1; + resource.width = 8; + resource.height = 4; + resource.flags = 0; + + virgl_renderer_resource_create(&resource, NULL, 0); + virgl_renderer_ctx_attach_resource(ctx_id, resource.handle); + + uint32_t size = 0x400; + uint32_t cmd[size]; + int i = 0; + cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE; + cmd[i++] = resource.handle; + cmd[i++] = 0; // level + cmd[i++] = 0; // usage + cmd[i++] = 0; // stride + cmd[i++] = 0; // layer_stride + cmd[i++] = 0; // x + cmd[i++] = 0; // y + cmd[i++] = 0; // z + cmd[i++] = 8; // w + cmd[i++] = 4; // h + cmd[i++] = 3; // d + memset(&cmd[i], 0, size - i); + + virgl_renderer_submit_cmd((void *) cmd, ctx_id, size); +} + + int main() { initialize_environment(); @@ -980,6 +1022,7 @@ int main() test_cs_nullpointer_deference(); test_vrend_set_signle_abo_heap_overflow(); + test_vrend_3d_resource_overflow(); virgl_renderer_context_destroy(ctx_id); virgl_renderer_cleanup(&cookie);
