vrend: Add test to resource OOB write and fix it (CVE-2022-0135)

2022-08-27 17:47:38 +08:00 · 2022-08-27 17:47:38 +08:00 · a162182b68
commit a162182b68
parent 03bf1a3b79
2 changed files with 38 additions and 1 deletions
--- a/backport-CVE-2022-0135.patch
+++ b/backport-CVE-2022-0135.patch
@ -0,0 +1,33 @@
+From 95e581fd181b213c2ed7cdc63f2abc03eaaa77ec Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny@collabora.com>
+Date: Tue, 30 Nov 2021 10:17:26 +0100
+Subject: [PATCH] vrend: Add test to resource OOB write and fix it
+
+v2: Also check that no depth != 1 has been send when none is due
+
+Closes: #250
+Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
+Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
+---
+ src/vrend_renderer.c        |  3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
+index 28f6697..357b81b 100644
+--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
+@@ -7833,8 +7833,11 @@ static int vrend_renderer_transfer_write_iov(struct vrend_context *ctx,
+                                           info->box->height) * elsize;
+       if (res->target == GL_TEXTURE_3D ||
+           res->target == GL_TEXTURE_2D_ARRAY ||
+          res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY ||
+           res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
+           send_size *= info->box->depth;
+      else if (need_temp && info->box->depth != 1)
+         return EINVAL;
+ 
+       if (need_temp) {
+          data = malloc(send_size);
+-- 
+2.27.0
+
--- a/virglrenderer.spec
+++ b/virglrenderer.spec
@ -1,6 +1,6 @@
 Name:		virglrenderer
 Version:	0.7.0
-Release:	4
+Release:	5
 Summary:	VirGL virtual OpenGL renderer
 License:	MIT
 URL: https://virgil3d.github.io
@ -15,6 +15,7 @@ Patch4:  backport-CVE-2019-18388.patch
 Patch5:  backport-CVE-2020-8002.patch
 Patch6:  backport-CVE-2020-8003.patch
 Patch7:  backport-CVE-2022-0175.patch
+Patch8:  backport-CVE-2022-0135.patch

 BuildRequires:	autoconf
 BuildRequires:	automake
@ -69,6 +70,9 @@ rm -rf %{buildroot}%{_bindir}/virgl_test_server
 %{_libdir}/pkgconfig/*.pc

 %changelog
+* Sat Aug 27 2022 yezengruan <yezengruan@huawei.com> - 0.7.0-5
+- vrend: Add test to resource OOB write and fix it (CVE-2022-0135)
+
 * Wed Jul 06 2022 yezengruan <yezengruan@huawei.com> - 0.7.0-4
 - vrend: clear memory when allocating a host-backed memory resource (CVE-2022-0175)