Comment 6 for bug 1950940
Revision history for this message
| Jun Yao (2freeman) wrote Re: [Bug 1950940] Re: Integer underflow in the vrend_decode_set_shader_images() on virglrenderer | #6 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Hi,
> Issue 251 is not open upstream, but it looks like this was addressed in
>
https:/
> along with a couple of other security fixes in
> https:/
> . It does not look like these fixes have landed in a release yet upstream.
These two problems had been reported to the upstream, and they have been
fixed. As they are security problem, I marked the issues confidential and
they are not visible for others.
> Jun Yao, was a CVE ever assigned for this issue?
There are no CVEs assigned for these two issues.
Thanks,
Jun Yao
Steve Beattie <email address hidden> 于2022年4月12日周二 14:51写道:
> Issue 251 is not open upstream, but it looks like this was addressed in
>
> https:/
> along with a couple of other security fixes in
> https:/
> . It does not look like these fixes have landed in a release yet
> upstream.
>
> Hoever, the other two issues (249, 250) did get CVEs assigned for them,
> CVE-2022-0175 and CVE-2022-0135 respectively.
>
> Jun Yao, was a CVE ever assigned for this issue?
>
> ** CVE added: https:/
>
> ** CVE added: https:/
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> Integer underflow in the vrend_decode_
> virglrenderer
>
> Status in virglrenderer package in Ubuntu:
> New
>
> Bug description:
> Env
> ===
> Description: Ubuntu 20.04.3 LTS
> Release: 20.04
>
> Package
> =======
> virglrenderer_0.8.2
>
> Vulnerability
> =============
> The is an integer underflow bug in the vrend_decode_
> Which
> can be used to bypass the checking and leads to OOB write.
>
>
> -------
> virgl_renderer_
> |
> |-> vrend_decode_
> |
> | VIRGL_CCMD_
> |
> |-> vrend_decode_
> |
> | /**
> | * When the num_images is larger than
> PIPE_MAX_
> | * we can obey the checking. The value of
> PIPE_MAX_
> | * is 32, if num_images is 33, the result of sub is -1.
> However,
> | * the type of num_images and start_slot is uint, -1 is
> bigger than
> | * start_slot, and it's ok.
> | */
> |
> | if (start_slot > PIPE_MAX_
> | start_slot > PIPE_MAX_
> |
> | /* OOB write */
> | for (uint32_t i = 0; i < num_images; i++)
> | vrend_set_
> format, access, layer_offset, level_size, handle);
>
> -------
>
> The start_slot+i is larger than the PIPE_MAX_
> OOB write in the vrend_set_
>
> -------
> 2941 void vrend_set_
> 2942 uint32_t shader_type,
> 2943 uint32_t index,
> 2944 uint32_t format, uint32_t access,
> 2945 uint32_t layer_offset, uint32_t
> level_size,
> 2946 uint32_t handle)
> 2947 {
> 2948 struct vrend_image_view *iview =
> &ctx->sub-
> 2951 if (handle) {
> 2952 if (!has_feature(
> 2953 return;
> 2954
> 2955 res = vrend_renderer_
> 2956 if (!res) {
> 2957 report_
> VIRGL_ERROR_
> 2958 return;
> 2959 }
> 2960 iview->texture = res;
> // oob write
> 2961 iview->format = tex_conv_
> 2962 iview->access = access;
> 2963 iview->u.buf.offset = layer_offset;
> 2964 iview->u.buf.size = level_size;
> 2965 ctx->sub-
> 2966 } else {
>
> -------
>
> To manage notifications about this bug go to:
>
> https:/
>
>