Hello community,
here is the log from the commit of package virglrenderer for openSUSE:Factory
checked in at 2019-12-25 10:54:23
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/virglrenderer (Old)
and /work/SRC/openSUSE:Factory/.virglrenderer.new.6675 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "virglrenderer"
Wed Dec 25 10:54:23 2019 rev:8 rq:758914 version:0.8.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/virglrenderer/virglrenderer.changes
2019-12-02 11:36:03.486431853 +0100
+++ /work/SRC/openSUSE:Factory/.virglrenderer.new.6675/virglrenderer.changes
2019-12-25 10:54:46.665628857 +0100
@@ -1,0 +2,20 @@
+Mon Dec 23 05:33:34 UTC 2019 - l...@suse.com
+
+- Add 5 security fixes
+* Check resource creation more thoroughly (CVE-2019-18388 bsc#1159479)
+ 0001-5d03711-vrend-Keep-the-max-texture-sizes-in-the-vrend_state.patch
+ 0002-0d9a2c8-vrend-Check-resource-creation-more-thoroughly.patch
+
+* check info formats in blits (CVE-2019-18390 bsc#1159478)
+ 0003-24f67de-vrend-check-info-formats-in-blits.patch
+
+* check transfer bounds for negative values too (CVE-2019-18389 bsc#1159482)
+ 0004-cbc8d8b-vrend-check-transfer-bounds-for-negative-values-too-.patch
+
+* check transfer iov holds enough data for the data upload (CVE-2019-18391
bsc#1159486)
+ 0005-2abeb18-vrend-check-that-the-transfer-iov-holds-enough-data-.patch
+
+* Add an assert for allocating the intermediate texture (CVE-2019-18392
bsc#1159454)
+ 0006-164d758-vrend-Add-an-assert-for-allocating-the-intermediate-.patch
+
+-------------------------------------------------------------------
New:
----
0001-5d03711-vrend-Keep-the-max-texture-sizes-in-the-vrend_state.patch
0002-0d9a2c8-vrend-Check-resource-creation-more-thoroughly.patch
0003-24f67de-vrend-check-info-formats-in-blits.patch
0004-cbc8d8b-vrend-check-transfer-bounds-for-negative-values-too-.patch
0005-2abeb18-vrend-check-that-the-transfer-iov-holds-enough-data-.patch
0006-164d758-vrend-Add-an-assert-for-allocating-the-intermediate-.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ virglrenderer.spec ++++++
--- /var/tmp/diff_new_pack.cbABLn/_old 2019-12-25 10:54:48.237629350 +0100
+++ /var/tmp/diff_new_pack.cbABLn/_new 2019-12-25 10:54:48.237629350 +0100
@@ -1,7 +1,7 @@
#
# spec file for package virglrenderer
#
-# Copyright (c) 2019 SUSE LLC
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -36,6 +36,14 @@
BuildRequires: pkgconfig(python2)
BuildRequires: pkgconfig(x11)
+#Upstream patches:
+Patch0001:
0001-5d03711-vrend-Keep-the-max-texture-sizes-in-the-vrend_state.patch
+Patch0002:
0002-0d9a2c8-vrend-Check-resource-creation-more-thoroughly.patch
+Patch0003: 0003-24f67de-vrend-check-info-formats-in-blits.patch
+Patch0004:
0004-cbc8d8b-vrend-check-transfer-bounds-for-negative-values-too-.patch
+Patch0005:
0005-2abeb18-vrend-check-that-the-transfer-iov-holds-enough-data-.patch
+Patch0006:
0006-164d758-vrend-Add-an-assert-for-allocating-the-intermediate-.patch
+
%description
The virgil3d rendering library is a library used by
qemu to implement 3D GPU support for the virtio GPU.
@@ -72,6 +80,12 @@
%prep
%setup -q -n %{name}-%{name}-%{version}
+%patch0001 -p1
+%patch0002 -p1
+%patch0003 -p1
+%patch0004 -p1
+%patch0005 -p1
+%patch0006 -p1
%build
sed -i -e 's|@CODE_COVERAGE_RULES@| |g' Makefile.am
++++++ 0001-5d03711-vrend-Keep-the-max-texture-sizes-in-the-vrend_state.patch
++++++
commit 5d03711f88643b6b6639aebd8983c179cdd248b0
Author: Gert Wollny <gert.wol...@collabora.com>
Date: Mon Oct 7 17:15:37 2019 +0200
vrend: Keep the max texture sizes in the vrend_state
This is needed to check the resource creation parameters.
Signed-off-by: Gert Wollny <gert.wol...@collabora.com>
Reviewed-by: Emil Velikov <emil.veli...@collabora.com>
Index: virglrenderer-virglrenderer-0.8.0/src/vrend_renderer.c
===================================================================
--- virglrenderer-virglrenderer-0.8.0.orig/src/vrend_renderer.c
+++ virglrenderer-virglrenderer-0.8.0/src/vrend_renderer.c
@@ -278,6 +278,9 @@ struct global_renderer_state {
/* these appeared broken on at least one driver */
bool use_explicit_locations;
uint32_t max_draw_buffers;
+ uint32_t max_texture_2d_size;
+ uint32_t max_texture_3d_size;
+ uint32_t max_texture_cube_size;
struct list_head active_ctx_list;
/* threaded sync */
@@ -5685,6 +5688,10 @@ int vrend_renderer_init(struct vrend_if_
vrend_state.inited = true;
vrend_object_init_resource_table();
vrend_clicbs = cbs;
+ /* Give some defaults to be able to run the tests */
+ vrend_state.max_texture_2d_size =
+ vrend_state.max_texture_3d_size =
+ vrend_state.max_texture_cube_size = 16384;
}
#ifndef NDEBUG
@@ -9306,6 +9313,12 @@ static void vrend_renderer_fill_caps_v2(
glGetIntegerv(GL_MAX_TEXTURE_SIZE, (GLint*)&caps->v2.max_texture_2d_size);
glGetIntegerv(GL_MAX_3D_TEXTURE_SIZE,
(GLint*)&caps->v2.max_texture_3d_size);
glGetIntegerv(GL_MAX_CUBE_MAP_TEXTURE_SIZE,
(GLint*)&caps->v2.max_texture_cube_size);
+ vrend_state.max_texture_2d_size = caps->v2.max_texture_2d_size;
+ vrend_state.max_texture_3d_size = caps->v2.max_texture_3d_size;
+ vrend_state.max_texture_cube_size = caps->v2.max_texture_cube_size;
+ VREND_DEBUG(dbg_features, NULL, "Texture limits: 2D:%u 3D:%u Cube:%u\n",
+ vrend_state.max_texture_2d_size,
vrend_state.max_texture_3d_size,
+ vrend_state.max_texture_cube_size);
if (has_feature(feat_geometry_shader)) {
glGetIntegerv(GL_MAX_GEOMETRY_OUTPUT_VERTICES,
(GLint*)&caps->v2.max_geom_output_vertices);
++++++ 0002-0d9a2c8-vrend-Check-resource-creation-more-thoroughly.patch ++++++
commit 0d9a2c88dc3a70023541b3260b9f00c982abda16
Author: Gert Wollny <gert.wol...@collabora.com>
Date: Thu Oct 10 09:42:25 2019 +0200
vrend: Check resource creation more thoroughly
While we are at it:
- free memory if texture allocation fails
Closes #144
Closes #145
Closes #146
v2: Move the error string creation to extra patch (Emil)
v3: Fix whitespace errors (Emil) and one logic error
Signed-off-by: Gert Wollny <gert.wol...@collabora.com>
Reviewed-by: Emil Velikov <emil.veli...@collabora.com>
Index: virglrenderer-virglrenderer-0.8.0/src/vrend_renderer.c
===================================================================
--- virglrenderer-virglrenderer-0.8.0.orig/src/vrend_renderer.c
+++ virglrenderer-virglrenderer-0.8.0/src/vrend_renderer.c
@@ -6037,6 +6037,8 @@ static int check_resource_valid(struct v
if (args->format >= VIRGL_FORMAT_MAX)
return -1;
+ bool format_can_texture_storage = has_feature(feat_texture_storage) &&
+ (tex_conv_table[args->format].flags &
VIRGL_TEXTURE_CAN_TEXTURE_STORAGE);
/* only texture 2d and 2d array can have multiple samples */
if (args->nr_samples > 0) {
@@ -6054,15 +6056,18 @@ static int check_resource_valid(struct v
/* buffer and rect textures can't have mipmaps */
if (args->target == PIPE_BUFFER || args->target == PIPE_TEXTURE_RECT)
return -1;
+
if (args->last_level > (floor(log2(MAX2(args->width, args->height))) +
1))
return -1;
}
+
if (args->flags != 0 && args->flags != VIRGL_RESOURCE_Y_0_TOP)
return -1;
- if (args->flags & VIRGL_RESOURCE_Y_0_TOP)
+ if (args->flags & VIRGL_RESOURCE_Y_0_TOP) {
if (args->target != PIPE_TEXTURE_2D && args->target != PIPE_TEXTURE_RECT)
return -1;
+ }
/* array size for array textures only */
if (args->target == PIPE_TEXTURE_CUBE) {
@@ -6081,6 +6086,9 @@ static int check_resource_valid(struct v
if (!has_feature(feat_texture_array))
return -1;
}
+ if (format_can_texture_storage && !args->width) {
+ return -1;
+ }
if (args->bind == 0 ||
args->bind == VIRGL_BIND_CUSTOM ||
@@ -6114,11 +6122,55 @@ static int check_resource_valid(struct v
args->target == PIPE_TEXTURE_CUBE_ARRAY) {
if (args->depth != 1)
return -1;
+ if (format_can_texture_storage && !args->height) {
+ return -1;
+ }
}
if (args->target == PIPE_TEXTURE_1D ||
args->target == PIPE_TEXTURE_1D_ARRAY) {
if (args->height != 1 || args->depth != 1)
return -1;
+ if (args->width > vrend_state.max_texture_2d_size) {
+ return -1;
+ }
+ }
+
+ if (args->target == PIPE_TEXTURE_2D ||
+ args->target == PIPE_TEXTURE_RECT ||
+ args->target == PIPE_TEXTURE_2D_ARRAY) {
+ if (args->width > vrend_state.max_texture_2d_size ||
+ args->height > vrend_state.max_texture_2d_size) {
+ return -1;
+ }
+ }
+
+ if (args->target == PIPE_TEXTURE_3D) {
+ if (format_can_texture_storage &&
+ (!args->height || !args->depth)) {
+ return -1;
+ }
+ if (args->width > vrend_state.max_texture_3d_size ||
+ args->height > vrend_state.max_texture_3d_size ||
+ args->depth > vrend_state.max_texture_3d_size) {
+ return -1;
+ }
+ }
+ if (args->target == PIPE_TEXTURE_2D_ARRAY ||
+ args->target == PIPE_TEXTURE_CUBE_ARRAY ||
+ args->target == PIPE_TEXTURE_1D_ARRAY) {
+ if (format_can_texture_storage &&
+ !args->array_size) {
+ return -1;
+ }
+ }
+ if (args->target == PIPE_TEXTURE_CUBE ||
+ args->target == PIPE_TEXTURE_CUBE_ARRAY) {
+ if (args->width != args->height) {
+ return -1;
+ }
+ if (args->width > vrend_state.max_texture_cube_size) {
+ return -1;
+ }
}
}
return 0;
@@ -6428,8 +6480,10 @@ int vrend_renderer_resource_create(struc
vrend_create_buffer(gr, args->width);
} else {
int r = vrend_renderer_resource_allocate_texture(gr, image_oes);
- if (r)
+ if (r) {
+ FREE(gr);
return r;
+ }
}
ret = vrend_resource_insert(gr, args->handle);
++++++ 0003-24f67de-vrend-check-info-formats-in-blits.patch ++++++
commit 24f67de7a9088a873844a39be03cee6882260ac9
Author: Gert Wollny <gert.wol...@collabora.com>
Date: Mon Oct 7 10:59:56 2019 +0200
vrend: check info formats in blits
Closes #141
Closes #142
v2 : drop colon in error description (Emil)
Signed-off-by: Gert Wollny <gert.wol...@collabora.com>
Reviewed-by: Emil Velikov <emil.veli...@collabora.com>
Index: virglrenderer-virglrenderer-0.8.0/src/virgl_hw.h
===================================================================
--- virglrenderer-virglrenderer-0.8.0.orig/src/virgl_hw.h
+++ virglrenderer-virglrenderer-0.8.0/src/virgl_hw.h
@@ -424,6 +424,7 @@ enum virgl_ctx_errors {
VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER,
VIRGL_ERROR_CTX_GLES_HAVE_TES_BUT_MISS_TCS,
VIRGL_ERROR_GL_ANY_SAMPLES_PASSED,
+ VIRGL_ERROR_CTX_ILLEGAL_FORMAT,
};
#define VIRGL_RESOURCE_Y_0_TOP (1 << 0)
Index: virglrenderer-virglrenderer-0.8.0/src/vrend_renderer.c
===================================================================
--- virglrenderer-virglrenderer-0.8.0.orig/src/vrend_renderer.c
+++ virglrenderer-virglrenderer-0.8.0/src/vrend_renderer.c
@@ -752,6 +752,7 @@ static const char *vrend_ctx_error_strin
[VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER] = "Illegal command buffer",
[VIRGL_ERROR_CTX_GLES_HAVE_TES_BUT_MISS_TCS] = "On GLES context and shader
program has tesselation evaluation shader but no tesselation control shader",
[VIRGL_ERROR_GL_ANY_SAMPLES_PASSED] = "Query for ANY_SAMPLES_PASSED not
supported",
+ [VIRGL_ERROR_CTX_ILLEGAL_FORMAT] = "Illegal format ID",
};
static void __report_context_error(const char *fname, struct vrend_context
*ctx,
@@ -8378,6 +8379,16 @@ void vrend_renderer_blit(struct vrend_co
if (ctx->in_error)
return;
+ if (!info->src.format || (enum virgl_formats)info->src.format >=
VIRGL_FORMAT_MAX) {
+ report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_FORMAT,
info->src.format);
+ return;
+ }
+
+ if (!info->dst.format || (enum virgl_formats)info->dst.format >=
VIRGL_FORMAT_MAX) {
+ report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_FORMAT,
info->dst.format);
+ return;
+ }
+
if (info->render_condition_enable == false)
vrend_pause_render_condition(ctx, true);
++++++ 0004-cbc8d8b-vrend-check-transfer-bounds-for-negative-values-too-.patch
++++++
commit cbc8d8b75be360236cada63784046688aeb6d921
Author: Gert Wollny <gert.wol...@collabora.com>
Date: Tue Oct 8 16:51:11 2019 +0200
vrend: check transfer bounds for negative values too and report error
Closes #138
Signed-off-by: Gert Wollny <gert.wol...@collabora.com>
Reviewed-by: Emil Velikov <emil.veli...@collabora.com>
Index: virglrenderer-virglrenderer-0.8.0/src/virgl_hw.h
===================================================================
--- virglrenderer-virglrenderer-0.8.0.orig/src/virgl_hw.h
+++ virglrenderer-virglrenderer-0.8.0/src/virgl_hw.h
@@ -425,6 +425,7 @@ enum virgl_ctx_errors {
VIRGL_ERROR_CTX_GLES_HAVE_TES_BUT_MISS_TCS,
VIRGL_ERROR_GL_ANY_SAMPLES_PASSED,
VIRGL_ERROR_CTX_ILLEGAL_FORMAT,
+ VIRGL_ERROR_CTX_TRANSFER_IOV_BOUNDS
};
#define VIRGL_RESOURCE_Y_0_TOP (1 << 0)
Index: virglrenderer-virglrenderer-0.8.0/src/vrend_renderer.c
===================================================================
--- virglrenderer-virglrenderer-0.8.0.orig/src/vrend_renderer.c
+++ virglrenderer-virglrenderer-0.8.0/src/vrend_renderer.c
@@ -753,6 +753,7 @@ static const char *vrend_ctx_error_strin
[VIRGL_ERROR_CTX_GLES_HAVE_TES_BUT_MISS_TCS] = "On GLES context and shader
program has tesselation evaluation shader but no tesselation control shader",
[VIRGL_ERROR_GL_ANY_SAMPLES_PASSED] = "Query for ANY_SAMPLES_PASSED not
supported",
[VIRGL_ERROR_CTX_ILLEGAL_FORMAT] = "Illegal format ID",
+ [VIRGL_ERROR_CTX_TRANSFER_IOV_BOUNDS] = "IOV data size exceeds resource
capacity",
};
static void __report_context_error(const char *fname, struct vrend_context
*ctx,
@@ -6674,7 +6675,7 @@ static bool check_transfer_bounds(struct
return false;
/* these will catch bad y/z/w/d with 1D textures etc */
lwidth = u_minify(res->base.width0, info->level);
- if (info->box->width > lwidth)
+ if (info->box->width > lwidth || info->box->width < 0)
return false;
if (info->box->x > lwidth)
return false;
@@ -6682,7 +6683,7 @@ static bool check_transfer_bounds(struct
return false;
lheight = u_minify(res->base.height0, info->level);
- if (info->box->height > lheight)
+ if (info->box->height > lheight || info->box->height < 0)
return false;
if (info->box->y > lheight)
return false;
@@ -6691,7 +6692,7 @@ static bool check_transfer_bounds(struct
if (res->base.target == PIPE_TEXTURE_3D) {
int ldepth = u_minify(res->base.depth0, info->level);
- if (info->box->depth > ldepth)
+ if (info->box->depth > ldepth || info->box->depth < 0)
return false;
if (info->box->z > ldepth)
return false;
@@ -7442,11 +7443,15 @@ int vrend_renderer_transfer_iov(const st
return virgl_gbm_transfer(res->gbm_bo, transfer_mode, iov, num_iovs,
info);
#endif
- if (!check_transfer_bounds(res, info))
+ if (!check_transfer_bounds(res, info)) {
+ report_context_error(ctx, VIRGL_ERROR_CTX_TRANSFER_IOV_BOUNDS, res->id);
return EINVAL;
+ }
- if (!check_iov_bounds(res, info, iov, num_iovs))
+ if (!check_iov_bounds(res, info, iov, num_iovs)) {
+ report_context_error(ctx, VIRGL_ERROR_CTX_TRANSFER_IOV_BOUNDS, res->id);
return EINVAL;
+ }
if (info->context0) {
vrend_renderer_force_ctx_0();
++++++ 0005-2abeb18-vrend-check-that-the-transfer-iov-holds-enough-data-.patch
++++++
commit 2abeb1802e3c005b17a7123e382171b3fb665971
Author: Gert Wollny <gert.wol...@collabora.com>
Date: Tue Oct 8 17:27:01 2019 +0200
vrend: check that the transfer iov holds enough data for the data upload
Closes #140
Signed-off-by: Gert Wollny <gert.wol...@collabora.com>
Reviewed-by: Emil Velikov <emil.veli...@collabora.com>
Index: virglrenderer-virglrenderer-0.8.0/src/vrend_renderer.c
===================================================================
--- virglrenderer-virglrenderer-0.8.0.orig/src/vrend_renderer.c
+++ virglrenderer-virglrenderer-0.8.0/src/vrend_renderer.c
@@ -6877,15 +6877,22 @@ static int vrend_renderer_transfer_write
invert = true;
}
+ send_size = util_format_get_nblocks(res->base.format, info->box->width,
+ info->box->height) * elsize;
+ if (res->target == GL_TEXTURE_3D ||
+ res->target == GL_TEXTURE_2D_ARRAY ||
+ res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
+ send_size *= info->box->depth;
+
if (need_temp) {
- send_size = util_format_get_nblocks(res->base.format,
info->box->width,
- info->box->height) * elsize *
info->box->depth;
data = malloc(send_size);
if (!data)
return ENOMEM;
read_transfer_data(iov, num_iovs, data, res->base.format,
info->offset,
stride, layer_stride, info->box, invert);
} else {
+ if (send_size > iov[0].iov_len - info->offset)
+ return EINVAL;
data = (char*)iov[0].iov_base + info->offset;
}
++++++ 0006-164d758-vrend-Add-an-assert-for-allocating-the-intermediate-.patch
++++++
commit 164d7587adc437dcc1cc9bdf843640ae450a96ff
Author: Gert Wollny <gert.wol...@collabora.com>
Date: Mon Oct 7 14:00:12 2019 +0200
vrend: Add an assert for allocating the intermediate texture
With the format checks introduced earlier the double free bug reported
in #139 should no longer be possible. Nevertheless, add an assert to
ensure that this is checked.
Closes #139
v2: Update NDEBUG_UNUSED to MAYBE_UNUSED
Signed-off-by: Gert Wollny <gert.wol...@collabora.com>
Reviewed-by: Emil Velikov <emil.veli...@collabora.com>
Index: virglrenderer-virglrenderer-0.8.0/src/vrend_renderer.c
===================================================================
--- virglrenderer-virglrenderer-0.8.0.orig/src/vrend_renderer.c
+++ virglrenderer-virglrenderer-0.8.0/src/vrend_renderer.c
@@ -8268,7 +8268,8 @@ static void vrend_renderer_blit_int(stru
args.array_size = src_res->base.array_size;
intermediate_copy = (struct vrend_resource
*)CALLOC_STRUCT(vrend_texture);
vrend_renderer_resource_copy_args(&args, intermediate_copy);
- vrend_renderer_resource_allocate_texture(intermediate_copy, NULL);
+ MAYBE_UNUSED int r =
vrend_renderer_resource_allocate_texture(intermediate_copy, NULL);
+ assert(!r);
glGenFramebuffers(1, &intermediate_fbo);
} else {
