Integer underflow in the vrend_decode_set_shader_images() on virglrenderer
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
virglrenderer (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Env
===
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Package
=======
virglrenderer
Vulnerability
=============
The is an integer underflow bug in the vrend_decode_
can be used to bypass the checking and leads to OOB write.
-------
virgl_renderer_
|
|-> vrend_decode_
|
| VIRGL_CCMD_
|
|-> vrend_decode_
|
| /**
| * When the num_images is larger than PIPE_MAX_
| * we can obey the checking. The value of PIPE_MAX_
| * is 32, if num_images is 33, the result of sub is -1. However,
| * the type of num_images and start_slot is uint, -1 is bigger than
| * start_slot, and it's ok.
| */
|
| if (start_slot > PIPE_MAX_
| start_slot > PIPE_MAX_
|
| /* OOB write */
| for (uint32_t i = 0; i < num_images; i++)
| vrend_set_
-------
The start_slot+i is larger than the PIPE_MAX_
-------
2941 void vrend_set_
2942 uint32_t shader_type,
2943 uint32_t index,
2944 uint32_t format, uint32_t access,
2945 uint32_t layer_offset, uint32_t level_size,
2946 uint32_t handle)
2947 {
2948 struct vrend_image_view *iview = &ctx->sub-
2951 if (handle) {
2952 if (!has_feature(
2953 return;
2954
2955 res = vrend_renderer_
2956 if (!res) {
2957 report_
2958 return;
2959 }
2960 iview->texture = res; // oob write
2961 iview->format = tex_conv_
2962 iview->access = access;
2963 iview->u.buf.offset = layer_offset;
2964 iview->u.buf.size = level_size;
2965 ctx->sub-
2966 } else {
-------
Hi,
Have you reported this issue to the virglrenderer developers?
If not, please report it to them. The bug tracker is here:
https:/ /gitlab. freedesktop. org/virgl/ virglrenderer/ -/issues
Once you have done that, please let us know the bug number and once a fix is available we will package it for Ubuntu.
Thanks!