Hello community, here is the log from the commit of package virglrenderer for openSUSE:Factory checked in at 2020-02-09 21:02:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/virglrenderer (Old) and /work/SRC/openSUSE:Factory/.virglrenderer.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "virglrenderer" Sun Feb 9 21:02:13 2020 rev:10 rq:770051 version:0.8.1 Changes: -------- --- /work/SRC/openSUSE:Factory/virglrenderer/virglrenderer.changes 2020-01-12 23:15:34.046620480 +0100 +++ /work/SRC/openSUSE:Factory/.virglrenderer.new.26092/virglrenderer.changes 2020-02-09 21:02:26.527354391 +0100 @@ -1,0 +2,14 @@ +Tue Feb 4 15:46:04 UTC 2020 - Bruce Rogers <brog...@suse.com> + +- Avoid potential DoS in texture allocation (CVE-2020-8003 + boo#1162521) + vrend-Don-t-free-resource-struct-in-_resource_alloca.patch +- Avoid potential DoS if grid launched without prior Compute Shader + (CVE-2020-8002 boo#1162519) + vrend-Don-t-try-launching-a-grid-if-no-CS-is-availab.patch +- Avoid deleting wrong object, in use by others + vrend-Use-the-original-context-to-delete-objects.patch +- Avoid potential use after free when deleting context + vrend-Don-t-switch-to-ctx0-when-deleting-ctx0.patch + +------------------------------------------------------------------- New: ---- vrend-Don-t-free-resource-struct-in-_resource_alloca.patch vrend-Don-t-switch-to-ctx0-when-deleting-ctx0.patch vrend-Don-t-try-launching-a-grid-if-no-CS-is-availab.patch vrend-Use-the-original-context-to-delete-objects.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ virglrenderer.spec ++++++ --- /var/tmp/diff_new_pack.YJxjXr/_old 2020-02-09 21:02:30.923356885 +0100 +++ /var/tmp/diff_new_pack.YJxjXr/_new 2020-02-09 21:02:30.963356908 +0100 @@ -25,6 +25,12 @@ Group: Development/Libraries/C and C++ URL: https://virgil3d.github.io/ Source0: https://gitlab.freedesktop.org/virgl/%{name}/-/archive/%{name}-%{version}/%{name}-%{name}-%{version}.tar.gz + +Patch0001: vrend-Don-t-free-resource-struct-in-_resource_alloca.patch +Patch0002: vrend-Don-t-try-launching-a-grid-if-no-CS-is-availab.patch +Patch0003: vrend-Use-the-original-context-to-delete-objects.patch +Patch0004: vrend-Don-t-switch-to-ctx0-when-deleting-ctx0.patch + BuildRequires: Mesa-devel BuildRequires: meson >= 0.46 BuildRequires: pkgconfig >= 0.9.0 @@ -70,6 +76,10 @@ %prep %setup -q -n %{name}-%{name}-%{version} +%patch0001 -p1 +%patch0002 -p1 +%patch0003 -p1 +%patch0004 -p1 %build %meson ++++++ vrend-Don-t-free-resource-struct-in-_resource_alloca.patch ++++++ From: Gert Wollny <gert.wol...@collabora.com> Date: Mon, 13 Jan 2020 10:03:19 +0100 Subject: [PATCH] vrend: Don't free resource struct in _resource_allocate_texture Git-commit: 522b610a826f6de58c560cbb38fa8dfc65ae3c42 References: boo#1162521, CVE-2020-8003 The structure is allocated outside this function and also deleted there if texture creation failes or it is asserted that it doesn't fail for intermediate blitting textures. Therefore, don't free the struct inside this function when allocation fails. Closes #154 Signed-off-by: Gert Wollny <gert.wol...@collabora.com> Signed-off-by: Bruce Rogers <brog...@suse.com> --- src/vrend_renderer.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c index edc195f..a054bad 100644 --- a/src/vrend_renderer.c +++ b/src/vrend_renderer.c @@ -6460,7 +6460,6 @@ static int vrend_renderer_resource_allocate_texture(struct vrend_resource *gr, } else { vrend_printf( "missing GL_OES_EGL_image_external extensions\n"); glBindTexture(gr->target, 0); - FREE(gr); return EINVAL; } } else { @@ -6471,7 +6470,6 @@ static int vrend_renderer_resource_allocate_texture(struct vrend_resource *gr, if (internalformat == 0) { vrend_printf("unknown format is %d\n", pr->format); glBindTexture(gr->target, 0); - FREE(gt); return EINVAL; } -- 2.25.0 ++++++ vrend-Don-t-switch-to-ctx0-when-deleting-ctx0.patch ++++++ From: Lepton Wu <lep...@chromium.org> Date: Wed, 29 Jan 2020 14:26:16 -0800 Subject: [PATCH] vrend: Don't switch to ctx0 when deleting ctx0 Git-commit: 039baad8cd600f4f4e35389b10c1196f742d0fa0 This causes use after free. Signed-off-by: Lepton Wu <lep...@chromium.org> Reviewed-by: David Riley <davidri...@chromium.org> Signed-off-by: Bruce Rogers <brog...@suse.com> --- src/vrend_renderer.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c index db82a8c..6d24363 100644 --- a/src/vrend_renderer.c +++ b/src/vrend_renderer.c @@ -5972,7 +5972,8 @@ bool vrend_destroy_context(struct vrend_context *ctx) LIST_FOR_EACH_ENTRY_SAFE(sub, tmp, &ctx->sub_ctxs, head) vrend_destroy_sub_context(sub); - vrend_renderer_force_ctx_0(); + if(ctx->ctx_id) + vrend_renderer_force_ctx_0(); vrend_object_fini_ctx_table(ctx->res_hash); -- 2.25.0 ++++++ vrend-Don-t-try-launching-a-grid-if-no-CS-is-availab.patch ++++++ From: Gert Wollny <gert.wol...@collabora.com> Date: Wed, 15 Jan 2020 13:43:58 +0100 Subject: [PATCH] vrend: Don't try launching a grid if no CS is available Git-commit: 63bcca251f093d83da7e290ab4bbd38ae69089b5 References: boo#1162519, CVE-2020-8002 Closes #155 Signed-off-by: Gert Wollny <gert.wol...@collabora.com> Reviewed-by: Gurchetan Singh <gurchetansi...@chromium.org> Signed-off-by: Bruce Rogers <brog...@suse.com> --- src/vrend_renderer.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c index a054bad..2280fc4 100644 --- a/src/vrend_renderer.c +++ b/src/vrend_renderer.c @@ -4604,6 +4604,13 @@ void vrend_launch_grid(struct vrend_context *ctx, } ctx->sub->shader_dirty = true; } + + if (!ctx->sub->prog) { + vrend_printf("%s: Skipping compute shader execution due to missing shaders: %s\n", + __func__, ctx->debug_name); + return; + } + vrend_use_program(ctx, ctx->sub->prog->id); vrend_draw_bind_ubo_shader(ctx, PIPE_SHADER_COMPUTE, 0); -- 2.25.0 ++++++ vrend-Use-the-original-context-to-delete-objects.patch ++++++ From: Lepton Wu <lep...@chromium.org> Date: Thu, 23 Jan 2020 00:59:09 -0800 Subject: [PATCH] vrend: Use the original context to delete objects. Git-commit: 845bc4889b2398921aee2fd62b883cddd1a1ac19 Container objects like framebuffers are not shared between contexts and we have to delete them in the original context. Otherwise we could delete wrong objects which is in using by others. Signed-off-by: Lepton Wu <lep...@chromium.org> Reviewed-by: Gert Wollny <gert.wol...@collabora.com> Signed-off-by: Bruce Rogers <brog...@suse.com> --- src/vrend_renderer.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c index e381816..db82a8c 100644 --- a/src/vrend_renderer.c +++ b/src/vrend_renderer.c @@ -5873,6 +5873,8 @@ static void vrend_destroy_sub_context(struct vrend_sub_context *sub) int i, j; struct vrend_streamout_object *obj, *tmp; + vrend_clicbs->make_current(sub->gl_context); + if (sub->fb_id) glDeleteFramebuffers(1, &sub->fb_id); @@ -5968,9 +5970,9 @@ bool vrend_destroy_context(struct vrend_context *ctx) vrend_set_index_buffer(ctx, 0, 0, 0); - vrend_renderer_force_ctx_0(); LIST_FOR_EACH_ENTRY_SAFE(sub, tmp, &ctx->sub_ctxs, head) vrend_destroy_sub_context(sub); + vrend_renderer_force_ctx_0(); vrend_object_fini_ctx_table(ctx->res_hash); @@ -10203,9 +10205,9 @@ void vrend_renderer_destroy_sub_ctx(struct vrend_context *ctx, int sub_ctx_id) if (tofree) { if (ctx->sub == tofree) { ctx->sub = ctx->sub0; - vrend_clicbs->make_current(ctx->sub->gl_context); } vrend_destroy_sub_context(tofree); + vrend_clicbs->make_current(ctx->sub->gl_context); } } -- 2.25.0