Crash in libegl-mesa0 due to out of bound array access

Bug #1776499 reported by Yogish Kulkarni on 2018-06-12
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mesa (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned

Bug Description

Crash in libegl-mesa0 due to out of bound array access. Crash is fixed on Mesa master branch with change: https://cgit.freedesktop.org/mesa/mesa/commit/?id=41642bdbca007035772fbfdc311f14daa5510d5d .This bug is to request to include this change in Mesa upgrades in bionic.

Please let me know if this change needs to be back ported to other branch so that libegl-mesa0 upgrade in Bionic could pick this change.

lsb_release -a
Distributor ID: Ubuntu
Description: Ubuntu 18.04 LTS
Release: 18.04
Codename: bionic

apt-cache policy libegl-mesa0
libegl-mesa0:
  Installed: 18.0.0~rc5-1ubuntu1
  Candidate: 18.0.0~rc5-1ubuntu1
  Version table:
 *** 18.0.0~rc5-1ubuntu1 500
        500 http://ports.ubuntu.com/ubuntu-ports bionic/main arm64 Packages
        100 /var/lib/dpkg/status

affects: libglvnd (Ubuntu) → mesa (Ubuntu)
Timo Aaltonen (tjaalton) wrote :

18.0.x series is done, this would need to be added as a distro patch

Yogish Kulkarni (yogishk) wrote :

Sorry, I couldn't understand what do you mean by distro patch. Do you mean it needs to be applied as patch over the current version of libegl-mesa0 in Bionic and libegl-mesa0 generated with this patch needs to come as upgrade in Bionic (i.e when I do apt-get upgrade) ? thanks!

Timo Aaltonen (tjaalton) wrote :

Yes. Problem is that bionic-proposed already has 18.0.5 staged for the 18.04.1 update, so adding more would delay getting that update.

Is there a way to reproduce this bug? How common is it? I'm wondering if it should be skipped for now and provided via backport from cosmic after 18.10 is released..

Yogish Kulkarni (yogishk) wrote :

Crash can be reproduced by simple test application which does e.g. :
main()
{
   eglGetProcAddress("egl148546488546404");
}

The problem is in the search algorithm used in mesa to look for the name passed to eglGetProcAddress. So crash can reproduce with other names as well. Please note that this bug will affect even though mesa driver is actually not getting used. GLVD tries to load drivers from all vendors listed in "/usr/share/glvnd/egl_vendor.d/". As a work around "/usr/share/glvnd/egl_vendor.d/50_mesa.json" needs to be removed for using EGL driver from other vendors e.g. nvidia.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mesa - 18.1.1-1ubuntu1

---------------
mesa (18.1.1-1ubuntu1) cosmic; urgency=medium

  * Merge from Debian.
  * glvnd-fix-a-segfault-in-eglgetprocaddess.diff: Backport a commit to
    fix a segfault. (LP: #1776499)

 -- Timo Aaltonen <email address hidden> Wed, 13 Jun 2018 12:10:21 +0300

Changed in mesa (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers