[OE-core] [PATCH][zeus] virglrenderer : fix CVE-2019-18388

Lee, Chee Yang chee.yang.lee at intel.com
Fri Mar 20 11:21:27 UTC 2020


Please ignore this patch, it is causing compilation error.

-----Original Message-----
From: openembedded-core-bounces at lists.openembedded.org <openembedded-core-bounces at lists.openembedded.org> On Behalf Of chee.yang.lee at intel.com
Sent: Friday, March 20, 2020 4:07 PM
To: openembedded-core at lists.openembedded.org
Subject: [OE-core] [PATCH][zeus] virglrenderer : fix CVE-2019-18388

From: Chee Yang Lee <chee.yang.lee at intel.com>

Signed-off-by: Chee Yang Lee <chee.yang.lee at intel.com>
---
 .../virglrenderer/CVE-2019-18388.patch             | 141 +++++++++++++++++++++
 .../virglrenderer/virglrenderer_0.8.0.bb           |   3 +-
 2 files changed, 143 insertions(+), 1 deletion(-)  create mode 100644 meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18388.patch

diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18388.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18388.patch
new file mode 100644
index 0000000..43563e4
--- /dev/null
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18388.p
+++ atch
@@ -0,0 +1,141 @@
+From 0d9a2c88dc3a70023541b3260b9f00c982abda16 Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny at collabora.com>
+Date: Thu, 10 Oct 2019 09:42:25 +0200
+Subject: [PATCH] vrend: Check resource creation more thoroughly
+
+While we are at it:
+  - free memory if texture allocation fails
+
+Closes #144
+Closes #145
+Closes #146
+
+v2: Move the error string creation to extra patch (Emil)
+v3: Fix whitespace errors (Emil) and one logic error
+
+Signed-off-by: Gert Wollny <gert.wollny at collabora.com>
+Reviewed-by: Emil Velikov <emil.velikov at collabora.com>
+
+Upstream-Status: Backport 
+[https://gitlab.freedesktop.org/virgl/virglrenderer/commit/0d9a2c88dc3a
+70023541b3260b9f00c982abda16]
+CVE: CVE-2019-18388
+Signed-off-by: Lee Chee Yang <chee.yang.lee at intel.com>
+
+
+---
+ src/vrend_renderer.c | 58 ++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 56 insertions(+), 2 deletions(-)
+
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c index 
+0c6b5efd..1fb657b7 100644
+--- a/src/vrend_renderer.c
++++ b/src/vrend_renderer.c
+@@ -6044,6 +6044,8 @@ static int check_resource_valid(struct 
+vrend_renderer_resource_create_args *args
+ 
+    if (args->format >= VIRGL_FORMAT_MAX)
+       return -1;
++   bool format_can_texture_storage = has_feature(feat_texture_storage) &&
++         (tex_conv_table[args->format].flags & 
++ VIRGL_TEXTURE_CAN_TEXTURE_STORAGE);
+ 
+    /* only texture 2d and 2d array can have multiple samples */
+    if (args->nr_samples > 0) {
+@@ -6061,15 +6063,18 @@ static int check_resource_valid(struct vrend_renderer_resource_create_args *args
+       /* buffer and rect textures can't have mipmaps */
+       if (args->target == PIPE_BUFFER || args->target == PIPE_TEXTURE_RECT)
+          return -1;
++
+       if (args->last_level > (floor(log2(MAX2(args->width, args->height))) + 1))
+          return -1;
+    }
++
+    if (args->flags != 0 && args->flags != VIRGL_RESOURCE_Y_0_TOP)
+       return -1;
+ 
+-   if (args->flags & VIRGL_RESOURCE_Y_0_TOP)
++   if (args->flags & VIRGL_RESOURCE_Y_0_TOP) {
+       if (args->target != PIPE_TEXTURE_2D && args->target != PIPE_TEXTURE_RECT)
+          return -1;
++   }
+ 
+    /* array size for array textures only */
+    if (args->target == PIPE_TEXTURE_CUBE) { @@ -6088,6 +6093,9 @@ 
+static int check_resource_valid(struct vrend_renderer_resource_create_args *args
+       if (!has_feature(feat_texture_array))
+          return -1;
+    }
++   if (format_can_texture_storage && !args->width) {
++      return -1;
++   }
+ 
+    if (args->bind == 0 ||
+        args->bind == VIRGL_BIND_CUSTOM || @@ -6124,11 +6132,55 @@ 
+static int check_resource_valid(struct vrend_renderer_resource_create_args *args
+           args->target == PIPE_TEXTURE_CUBE_ARRAY) {
+          if (args->depth != 1)
+             return -1;
++         if (format_can_texture_storage && !args->height) {
++            return -1;
++         }
+       }
+       if (args->target == PIPE_TEXTURE_1D ||
+           args->target == PIPE_TEXTURE_1D_ARRAY) {
+          if (args->height != 1 || args->depth != 1)
+             return -1;
++         if (args->width > vrend_state.max_texture_2d_size) {
++            return -1;
++         }
++      }
++
++      if (args->target == PIPE_TEXTURE_2D ||
++          args->target == PIPE_TEXTURE_RECT ||
++          args->target == PIPE_TEXTURE_2D_ARRAY) {
++         if (args->width > vrend_state.max_texture_2d_size ||
++             args->height > vrend_state.max_texture_2d_size) {
++            return -1;
++         }
++      }
++
++      if (args->target == PIPE_TEXTURE_3D) {
++         if (format_can_texture_storage &&
++             (!args->height || !args->depth)) {
++            return -1;
++         }
++         if (args->width > vrend_state.max_texture_3d_size ||
++             args->height > vrend_state.max_texture_3d_size ||
++             args->depth > vrend_state.max_texture_3d_size) {
++            return -1;
++         }
++      }
++      if (args->target == PIPE_TEXTURE_2D_ARRAY ||
++          args->target == PIPE_TEXTURE_CUBE_ARRAY ||
++          args->target == PIPE_TEXTURE_1D_ARRAY) {
++         if (format_can_texture_storage &&
++             !args->array_size) {
++            return -1;
++         }
++      }
++      if (args->target == PIPE_TEXTURE_CUBE ||
++          args->target == PIPE_TEXTURE_CUBE_ARRAY) {
++         if (args->width != args->height) {
++            return -1;
++         }
++         if (args->width > vrend_state.max_texture_cube_size) {
++            return -1;
++         }
+       }
+    }
+    return 0;
+@@ -6458,8 +6510,10 @@ int vrend_renderer_resource_create(struct vrend_renderer_resource_create_args *a
+       vrend_create_buffer(gr, args->width);
+    } else {
+       int r = vrend_renderer_resource_allocate_texture(gr, image_oes);
+-      if (r)
++      if (r) {
++         FREE(gr);
+          return r;
++      }
+    }
+ 
+    ret = vrend_resource_insert(gr, args->handle);
+--
+2.24.1
+
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb
index e91ccc6..0480d90 100644
--- a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb
@@ -11,7 +11,8 @@ SRC_URI = "git://anongit.freedesktop.org/virglrenderer \
            file://CVE-2019-18390.patch \
            file://CVE-2019-18391.patch \
            file://CVE-2020-8002.patch  \
-           "
+           file://CVE-2019-18388.patch \ "
 
 S = "${WORKDIR}/git"
 
--
2.7.4

--
_______________________________________________
Openembedded-core mailing list
Openembedded-core at lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core


More information about the Openembedded-core mailing list