!19 [sync] PR-15: vrend: clear memory when allocating a host-backed memory resource (CVE-2022-0175)
From: @openeuler-sync-bot Reviewed-by: @yezengruan Signed-off-by: @yezengruan
This commit is contained in:
openeuler-ci-bot
Gitee
commit
03bf1a3b79
99
backport-CVE-2022-0175.patch
Normal file
99
backport-CVE-2022-0175.patch
Normal file
@ -0,0 +1,99 @@
|
||||
From 723603bb2ec9ebf38a95612d99ca16bd37bcdf24 Mon Sep 17 00:00:00 2001
|
||||
From: Gert Wollny <gert.wollny@collabora.com>
|
||||
Date: Tue, 30 Nov 2021 09:29:42 +0100
|
||||
Subject: [PATCH] vrend: clear memory when allocating a host-backed memory
|
||||
resource
|
||||
|
||||
Closes: #249
|
||||
Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
|
||||
Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
|
||||
---
|
||||
src/vrend_renderer.c | 2 +-
|
||||
tests/test_virgl_transfer.c | 51 +++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 52 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
|
||||
index e66cc05..1285757 100644
|
||||
--- a/src/vrend_renderer.c
|
||||
+++ b/src/vrend_renderer.c
|
||||
@@ -5813,7 +5813,7 @@ int vrend_renderer_resource_create(struct vrend_renderer_resource_create_args *a
|
||||
|
||||
if (args->bind == VIRGL_BIND_CUSTOM) {
|
||||
/* custom should only be for buffers */
|
||||
- gr->ptr = malloc(args->width);
|
||||
+ gr->ptr = calloc(1, args->width);
|
||||
if (!gr->ptr) {
|
||||
FREE(gr);
|
||||
return ENOMEM;
|
||||
diff --git a/tests/test_virgl_transfer.c b/tests/test_virgl_transfer.c
|
||||
index 2bd2cc7..5c18ad6 100644
|
||||
--- a/tests/test_virgl_transfer.c
|
||||
+++ b/tests/test_virgl_transfer.c
|
||||
@@ -727,6 +727,56 @@ START_TEST(virgl_test_transfer_inline_valid_large)
|
||||
}
|
||||
END_TEST
|
||||
|
||||
+START_TEST(test_vrend_host_backed_memory_no_data_leak)
|
||||
+{
|
||||
+ struct iovec iovs[1];
|
||||
+ int niovs = 1;
|
||||
+
|
||||
+ struct virgl_context ctx = {0};
|
||||
+
|
||||
+ int ret = testvirgl_init_ctx_cmdbuf(&ctx);
|
||||
+
|
||||
+ struct virgl_renderer_resource_create_args res;
|
||||
+ res.handle = 0x400;
|
||||
+ res.target = PIPE_BUFFER;
|
||||
+ res.format = VIRGL_FORMAT_R8_UNORM;
|
||||
+ res.nr_samples = 0;
|
||||
+ res.last_level = 0;
|
||||
+ res.array_size = 1;
|
||||
+ res.bind = VIRGL_BIND_CUSTOM;
|
||||
+ res.depth = 1;
|
||||
+ res.width = 32;
|
||||
+ res.height = 1;
|
||||
+ res.flags = 0;
|
||||
+
|
||||
+ uint32_t size = 32;
|
||||
+ uint8_t* data = calloc(1, size);
|
||||
+ memset(data, 1, 32);
|
||||
+ iovs[0].iov_base = data;
|
||||
+ iovs[0].iov_len = size;
|
||||
+
|
||||
+ struct pipe_box box = {0,0,0, size, 1,1};
|
||||
+
|
||||
+ virgl_renderer_resource_create(&res, NULL, 0);
|
||||
+ virgl_renderer_ctx_attach_resource(ctx.ctx_id, res.handle);
|
||||
+
|
||||
+ ret = virgl_renderer_transfer_read_iov(res.handle, ctx.ctx_id, 0, 0, 0,
|
||||
+ (struct virgl_box *)&box, 0, iovs, niovs);
|
||||
+
|
||||
+ ck_assert_int_eq(ret, 0);
|
||||
+
|
||||
+ for (int i = 0; i < 32; ++i)
|
||||
+ ck_assert_int_eq(data[i], 0);
|
||||
+
|
||||
+ virgl_renderer_ctx_detach_resource(1, res.handle);
|
||||
+
|
||||
+ virgl_renderer_resource_unref(res.handle);
|
||||
+ free(data);
|
||||
+
|
||||
+}
|
||||
+END_TEST
|
||||
+
|
||||
+
|
||||
static Suite *virgl_init_suite(void)
|
||||
{
|
||||
Suite *s;
|
||||
@@ -757,6 +807,7 @@ static Suite *virgl_init_suite(void)
|
||||
tcase_add_test(tc_core, virgl_test_transfer_2d_array_bad_layer_stride);
|
||||
tcase_add_test(tc_core, virgl_test_transfer_2d_bad_level);
|
||||
tcase_add_test(tc_core, virgl_test_transfer_2d_bad_stride);
|
||||
+ tcase_add_test(tc_core, test_vrend_host_backed_memory_no_data_leak);
|
||||
|
||||
tcase_add_loop_test(tc_core, virgl_test_transfer_res_read_valid, 0, PIPE_MAX_TEXTURE_TYPES);
|
||||
tcase_add_loop_test(tc_core, virgl_test_transfer_res_write_valid, 0, PIPE_MAX_TEXTURE_TYPES);
|
||||
--
|
||||
2.27.0
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
Name: virglrenderer
|
||||
Version: 0.7.0
|
||||
Release: 3
|
||||
Release: 4
|
||||
Summary: VirGL virtual OpenGL renderer
|
||||
License: MIT
|
||||
URL: https://virgil3d.github.io
|
||||
@ -14,6 +14,7 @@ Patch3: backport-vrend-Keep-the-max-texture-sizes-in-the-vrend_state.patch
|
||||
Patch4: backport-CVE-2019-18388.patch
|
||||
Patch5: backport-CVE-2020-8002.patch
|
||||
Patch6: backport-CVE-2020-8003.patch
|
||||
Patch7: backport-CVE-2022-0175.patch
|
||||
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
@ -68,6 +69,9 @@ rm -rf %{buildroot}%{_bindir}/virgl_test_server
|
||||
%{_libdir}/pkgconfig/*.pc
|
||||
|
||||
%changelog
|
||||
* Wed Jul 06 2022 yezengruan <yezengruan@huawei.com> - 0.7.0-4
|
||||
- vrend: clear memory when allocating a host-backed memory resource (CVE-2022-0175)
|
||||
|
||||
* Tue Mar 1 2022 AlexChen <alex.chen@huawei.com> - 0.7.0-3
|
||||
- Fix CVE-2020-8002 CVE-2020-8003
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user