Comment 9 for bug 1950941

Hi Seth Arnold,

> What I'm not sure about is if this is actually a security issue or if this is just a bug -- is there actually a security boundary that is being breached?

I believe that this is a security issue, which causes OOB writing in the vrend_set_single_ssbo():

 2973 void vrend_set_single_ssbo(struct vrend_context *ctx,
 2974 uint32_t shader_type,
 2975 uint32_t index,
 2976 uint32_t offset, uint32_t length,
 2977 uint32_t handle)
 2978 {
         /* OOB, index > PIPE_MAX_SHADER_BUFFERS */
 2979 struct vrend_ssbo *ssbo = &ctx->sub->ssbo[shader_type][index];
 2980 struct vrend_resource *res;
 2981
 2982 if (!has_feature(feat_ssbo))
 2983 return;
 2984
 2985 if (handle) {
 2986 res = vrend_renderer_ctx_res_lookup(ctx, handle);
 2987 if (!res) {
 2988 report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_RESOURCE, handle);
 2989 return;
 2990 }
            /* OOB writing */
 2991 ssbo->res = res;
 2992 ssbo->buffer_offset = offset;
 2993 ssbo->buffer_size = length;
 2994 ctx->sub->ssbo_used_mask[shader_type] |= (1u << index);
 2995 }