Sync from SUSE:SLFO:Main virglrenderer revision ec2084a60b6bccf0513a9a74683003ad

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

virglrenderer-CVE-2022-0135.patch

@@ -0,0 +1,77 @@
+Index: virglrenderer-virglrenderer-0.9.1/src/vrend_renderer.c
+===================================================================
+--- virglrenderer-virglrenderer-0.9.1.orig/src/vrend_renderer.c
++++ virglrenderer-virglrenderer-0.9.1/src/vrend_renderer.c
+@@ -7568,8 +7568,11 @@ static int vrend_renderer_transfer_write
+                                           info->box->height) * elsize;
+       if (res->target == GL_TEXTURE_3D ||
+           res->target == GL_TEXTURE_2D_ARRAY ||
++          res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY ||
+           res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
+           send_size *= info->box->depth;
++      else if (need_temp && info->box->depth != 1)
++          return EINVAL;
+ 
+       if (need_temp) {
+          data = malloc(send_size);
+Index: virglrenderer-virglrenderer-0.9.1/tests/test_fuzzer_formats.c
+===================================================================
+--- virglrenderer-virglrenderer-0.9.1.orig/tests/test_fuzzer_formats.c
++++ virglrenderer-virglrenderer-0.9.1/tests/test_fuzzer_formats.c
+@@ -958,6 +958,48 @@ static void test_vrend_set_signle_abo_he
+     virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
+ }
+ 
++/* Test adapted from yaojun8558363@gmail.com:
++ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250
++ */
++static void test_vrend_3d_resource_overflow() {
++
++	struct virgl_renderer_resource_create_args resource;
++	resource.handle = 0x4c474572;
++	resource.target = PIPE_TEXTURE_2D_ARRAY;
++	resource.format = VIRGL_FORMAT_Z24X8_UNORM;
++	resource.nr_samples = 2;
++	resource.last_level = 0;
++	resource.array_size = 3;
++	resource.bind = VIRGL_BIND_SAMPLER_VIEW;
++	resource.depth = 1;
++	resource.width = 8;
++	resource.height = 4;
++	resource.flags = 0;
++
++	virgl_renderer_resource_create(&resource, NULL, 0);
++	virgl_renderer_ctx_attach_resource(ctx_id, resource.handle);
++
++	uint32_t size = 0x400;
++	uint32_t cmd[size];
++	int i = 0;
++	cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE;
++	cmd[i++] = resource.handle;
++	cmd[i++] = 0; // level
++	cmd[i++] = 0; // usage
++	cmd[i++] = 0; // stride
++	cmd[i++] = 0; // layer_stride
++	cmd[i++] = 0; // x
++	cmd[i++] = 0; // y
++	cmd[i++] = 0; // z
++	cmd[i++] = 8; // w
++	cmd[i++] = 4; // h
++	cmd[i++] = 3; // d
++	memset(&cmd[i], 0, size - i);
++
++	virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
++}
++
++
+ int main()
+ {
+    initialize_environment();
+@@ -980,6 +1022,7 @@ int main()
+    test_cs_nullpointer_deference();
+    test_vrend_set_signle_abo_heap_overflow();
+ 
++   test_vrend_3d_resource_overflow();
+ 
+    virgl_renderer_context_destroy(ctx_id);
+    virgl_renderer_cleanup(&cookie);

virglrenderer-CVE-2022-0175.patch

@@ -0,0 +1,99 @@
+From b05bb61f454eeb8a85164c8a31510aeb9d79129c Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny@collabora.com>
+Date: Tue, 30 Nov 2021 09:29:42 +0100
+Subject: [PATCH] vrend: clear memory when allocating a host-backed memory resource
+
+Closes: #249
+
+Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
+Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
+---
+ src/vrend_renderer.c        |  2 +-
+ tests/test_virgl_transfer.c | 51 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 52 insertions(+), 1 deletion(-)
+
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
+index 53c52d07..28f66972 100644
+--- a/src/vrend_renderer.c
++++ b/src/vrend_renderer.c
+@@ -7063,7 +7063,7 @@ vrend_resource_alloc_buffer(struct vrend_resource *gr, uint32_t flags)
+    if (bind == VIRGL_BIND_CUSTOM) {
+       /* use iovec directly when attached */
+       gr->storage_bits |= VREND_STORAGE_HOST_SYSTEM_MEMORY;
+-      gr->ptr = malloc(size);
++      gr->ptr = calloc(1, size);
+       if (!gr->ptr)
+          return -ENOMEM;
+    } else if (bind == VIRGL_BIND_STAGING) {
+diff --git a/tests/test_virgl_transfer.c b/tests/test_virgl_transfer.c
+index bf7f4381..3c53c3df 100644
+--- a/tests/test_virgl_transfer.c
++++ b/tests/test_virgl_transfer.c
+@@ -952,6 +952,56 @@ START_TEST(virgl_test_transfer_near_res_bounds_with_stride_succeeds)
+ }
+ END_TEST
+ 
++START_TEST(test_vrend_host_backed_memory_no_data_leak)
++{
++   struct iovec iovs[1];
++   int niovs = 1;
++
++   struct virgl_context ctx = {0};
++
++   int ret = testvirgl_init_ctx_cmdbuf(&ctx);
++
++   struct virgl_renderer_resource_create_args res;
++   res.handle = 0x400;
++   res.target = PIPE_BUFFER;
++   res.format = VIRGL_FORMAT_R8_UNORM;
++   res.nr_samples = 0;
++   res.last_level = 0;
++   res.array_size = 1;
++   res.bind = VIRGL_BIND_CUSTOM;
++   res.depth = 1;
++   res.width = 32;
++   res.height = 1;
++   res.flags = 0;
++
++   uint32_t size = 32;
++   uint8_t* data = calloc(1, size);
++   memset(data, 1, 32);
++   iovs[0].iov_base = data;
++   iovs[0].iov_len = size;
++
++   struct pipe_box box = {0,0,0, size, 1,1};
++
++   virgl_renderer_resource_create(&res, NULL, 0);
++   virgl_renderer_ctx_attach_resource(ctx.ctx_id, res.handle);
++
++   ret = virgl_renderer_transfer_read_iov(res.handle, ctx.ctx_id, 0, 0, 0,
++                                          (struct virgl_box *)&box, 0, iovs, niovs);
++
++   ck_assert_int_eq(ret, 0);
++
++   for (int i = 0; i < 32; ++i)
++      ck_assert_int_eq(data[i], 0);
++
++   virgl_renderer_ctx_detach_resource(1, res.handle);
++
++   virgl_renderer_resource_unref(res.handle);
++   free(data);
++
++}
++END_TEST
++
++
+ static Suite *virgl_init_suite(void)
+ {
+   Suite *s;
+@@ -981,6 +1031,7 @@ static Suite *virgl_init_suite(void)
+   tcase_add_test(tc_core, virgl_test_transfer_buffer_bad_strides);
+   tcase_add_test(tc_core, virgl_test_transfer_2d_array_bad_layer_stride);
+   tcase_add_test(tc_core, virgl_test_transfer_2d_bad_level);
++  tcase_add_test(tc_core, test_vrend_host_backed_memory_no_data_leak);
+ 
+   tcase_add_loop_test(tc_core, virgl_test_transfer_res_read_valid, 0, PIPE_MAX_TEXTURE_TYPES);
+   tcase_add_loop_test(tc_core, virgl_test_transfer_res_write_valid, 0, PIPE_MAX_TEXTURE_TYPES);
+-- 
+GitLab
+

virglrenderer.changes

@@ -0,0 +1,211 @@
+-------------------------------------------------------------------
+Wed Feb  2 09:33:17 UTC 2022 - Michael Vetter <mvetter@suse.com>
+
+- security update
+  * Fix OOB in read_transfer_data() (CVE-2022-0135 bsc#1195389)
+    Add virglrenderer-CVE-2022-0135.patch
+
+-------------------------------------------------------------------
+Fri Jan 21 10:45:13 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
+
+- Pick up the full upstream patch for bsc#1194601, so we know from where it comes
+  * No functional change intended
+
+-------------------------------------------------------------------
+Mon Jan 17 07:47:07 UTC 2022 - pgajdos@suse.com
+
+- security update
+- added patches
+  fix CVE-2022-0175 [bsc#1194601], VUL-0: CVE-2022-0175: virglrenderer: Missing initialization of res->ptr
+  + virglrenderer-CVE-2022-0175.patch
+
+-------------------------------------------------------------------
+Thu Apr 29 07:31:09 UTC 2021 - Martin Pluskal <mpluskal@suse.com>
+
+- Update to version 0.9.1:
+  * Various small bugfixes
+
+-------------------------------------------------------------------
+Sun Apr  4 13:50:58 UTC 2021 - Bruce Rogers <brogers@suse.com>
+
+- Update package to 0.9.0
+  Highlights include:
+  + multi-client support
+  + supports newer glsl version
+  + add ETC2 compressed formats
+  + performance improvements
+  + misc. bug fixes
+
+-------------------------------------------------------------------
+Wed Feb 12 14:47:31 UTC 2020 - Bruce Rogers <brogers@suse.com>
+
+- Update package to 0.8.2
+  Release is all bug fixes it seems. It includes these patches in
+  the release tarball:
+  vrend-Don-t-free-resource-struct-in-_resource_alloca.patch
+  vrend-Don-t-try-launching-a-grid-if-no-CS-is-availab.patch
+  vrend-Use-the-original-context-to-delete-objects.patch
+  vrend-Don-t-switch-to-ctx0-when-deleting-ctx0.patch
+
+-------------------------------------------------------------------
+Tue Feb  4 15:46:04 UTC 2020 - Bruce Rogers <brogers@suse.com>
+
+- Avoid potential DoS in texture allocation (CVE-2020-8003
+  boo#1162521)
+  vrend-Don-t-free-resource-struct-in-_resource_alloca.patch
+- Avoid potential DoS if grid launched without prior Compute Shader
+  (CVE-2020-8002 boo#1162519)
+  vrend-Don-t-try-launching-a-grid-if-no-CS-is-availab.patch
+- Avoid deleting wrong object, in use by others
+  vrend-Use-the-original-context-to-delete-objects.patch
+- Avoid potential use after free when deleting context
+  vrend-Don-t-switch-to-ctx0-when-deleting-ctx0.patch
+
+-------------------------------------------------------------------
+Mon Jan  6 16:57:48 UTC 2020 - Bruce Rogers <brogers@suse.com>
+
+- Update package to 0.8.1
+  Requires very recent libepoxy, which is currently only available
+  in Factory. Accordingly also switch to meson build, which also
+  excludes older releases.
+  Other highlights include:
+  + support emulating planar image sampling
+  + Add all formats to VIRGL_FORMAT that are referenced in Gallium
+  + deprecation of the autotools build system
+  + miscellaneous bug and performance fixes
+  + drop the following patches, which are included in this release:
+    0001-5d03711-vrend-Keep-the-max-texture-sizes-in-the-vrend_state.patch
+    0002-0d9a2c8-vrend-Check-resource-creation-more-thoroughly.patch
+    0003-24f67de-vrend-check-info-formats-in-blits.patch
+    0004-cbc8d8b-vrend-check-transfer-bounds-for-negative-values-too-.patch
+    0005-2abeb18-vrend-check-that-the-transfer-iov-holds-enough-data-.patch
+    0006-164d758-vrend-Add-an-assert-for-allocating-the-intermediate-.patch
+
+-------------------------------------------------------------------
+Mon Dec 23 05:33:34 UTC 2019 - lma@suse.com
+
+- Add 5 security fixes
+* Check resource creation more thoroughly (CVE-2019-18388 bsc#1159479)
+  0001-5d03711-vrend-Keep-the-max-texture-sizes-in-the-vrend_state.patch
+  0002-0d9a2c8-vrend-Check-resource-creation-more-thoroughly.patch
+
+* check info formats in blits (CVE-2019-18390 bsc#1159478)
+  0003-24f67de-vrend-check-info-formats-in-blits.patch
+
+* check transfer bounds for negative values too (CVE-2019-18389 bsc#1159482)
+  0004-cbc8d8b-vrend-check-transfer-bounds-for-negative-values-too-.patch
+
+* check transfer iov holds enough data for the data upload (CVE-2019-18391 bsc#1159486)
+  0005-2abeb18-vrend-check-that-the-transfer-iov-holds-enough-data-.patch
+
+* Add an assert for allocating the intermediate texture (CVE-2019-18392 bsc#1159454)
+  0006-164d758-vrend-Add-an-assert-for-allocating-the-intermediate-.patch
+
+-------------------------------------------------------------------
+Tue Nov 26 21:42:29 UTC 2019 - Bruce Rogers <brogers@suse.com>
+
+- Update package to 0.8.0
+  Note: not switching to meson build system yet since it would
+  exclude distos with older meson (seems meson v0.49+ is required)
+  Highlights include:
+  + guest support for GL 4.3 on hosts with GLES 3.2 + certain 
+    extensions,
+  + major performance improvements, and 
+  + lots of bug fixes.
+- The shared object (SO) version changes from 0 to 1 with this
+  package update
+
+-------------------------------------------------------------------
+Wed Sep 19 11:52:37 UTC 2018 - minava@t-online.de
+
+- Update package to 0.7.0
+- Brings the renderer up to GL4.3/GLES3.1 capability and most of GLES3.2
+- Make EGL optional at configure time
+- The following patches will be removed: 
+  0001-737c3350-renderer-fix-memory-leak-in-vertex-elements-state-cr.patch
+  0002-1fdafd62-vrend-Increase-VREND_MAX_CTX-to-64.patch
+  They are included in 0.7.0
+
+
+-------------------------------------------------------------------
+Thu Jul 26 16:13:35 CEST 2018 - vliaskovitis@suse.com
+
+- vrend: Increase VREND_MAX_CTX to 64. (bsc#1102749)
+  0002-1fdafd62-vrend-Increase-VREND_MAX_CTX-to-64.patch
+
+-------------------------------------------------------------------
+Wed Nov  1 15:32:54 UTC 2017 - mpluskal@suse.com
+
+- Clean up spec file with spec-cleaner
+- Use source url
+- Add gpg signature
+- Make building more verbose
+- Explicitly require python2
+
+-------------------------------------------------------------------
+Fri Mar 10 04:22:11 UTC 2017 - lma@suse.com
+
+- Fix memory leak in vertex elements state create (CVE-2017-6386 bsc#1027376)
+  0001-737c3350-renderer-fix-memory-leak-in-vertex-elements-state-cr.patch
+
+-------------------------------------------------------------------
+Thu Mar  2 09:24:22 UTC 2017 - jengelh@inai.de
+
+- Fix RPM groups
+
+-------------------------------------------------------------------
+Fri Feb 24 09:03:26 UTC 2017 - lma@suse.com
+
+- Update package to 0.6.0
+  The following patches will be removed:
+  0001-48f67f60-renderer-fix-NULL-pointer-deref-in-vrend_clear.patch
+  0002-40b0e781-renderer-fix-a-leak-in-resource-attach.patch
+  0003-6eb13f7a-vrend-fix-memory-leak-in-int-blit-context.patch
+  0004-114688c5-renderer-fix-heap-overflow-in-vertex-elements-state-.patch
+  0005-926b9b34-vrend-fix-a-stack-overflow-in-set-framebuffer-state.patch
+
+  All of the removed patches were already included in 0.6.0,
+  So we dont need them any more.
+
+-------------------------------------------------------------------
+Fri Feb 17 11:20:43 UTC 2017 - lma@suse.com
+
+- Address various security issues
+* Fix null pointer dereference in vrend_clear (CVE-2017-5937 bsc#1024232)
+  0001-48f67f60-renderer-fix-NULL-pointer-deref-in-vrend_clear.patch
+* Fix host memory leak issue in virgl_resource_attach_backing (CVE-2016-10214 bsc#1024244)
+  0002-40b0e781-renderer-fix-a-leak-in-resource-attach.patch
+* Fix memory leak in int blit context (CVE-2017-5993 bsc#1025505)
+  0003-6eb13f7a-vrend-fix-memory-leak-in-int-blit-context.patch
+* Fix heap overflow in vertex elements state create (CVE-2017-5994 bsc#1025507)
+  0004-114688c5-renderer-fix-heap-overflow-in-vertex-elements-state-.patch
+* Fix a stack overflow in set framebuffer state (CVE-2017-5957 bsc#1024993)
+  0005-926b9b34-vrend-fix-a-stack-overflow-in-set-framebuffer-state.patch
+
+-------------------------------------------------------------------
+Fri Jun  3 16:35:39 UTC 2016 - brogers@suse.com
+
+- Further tweaks to package layout, including splitting out
+  the test server into it's own package.
+
+-------------------------------------------------------------------
+Wed Jun  1 11:01:38 UTC 2016 - brogers@suse.com
+
+- Refine BuildRequires tags
+
+-------------------------------------------------------------------
+Thu Apr 14 02:45:57 UTC 2016 - brogers@suse.com
+
+- Fixed url in spec file
+
+-------------------------------------------------------------------
+Wed Apr 13 06:15:29 UTC 2016 - lma@suse.com
+
+- Fixed epoxy dependency
+
+-------------------------------------------------------------------
+Tue Apr 12 07:44:05 UTC 2016 - lma@suse.com
+
+- Initial package, based upon virglrenderer upstream sources
+  (git tag: 0.5.0)
+

virglrenderer.spec

@@ -0,0 +1,103 @@
+#
+# spec file for package virglrenderer
+#
+# Copyright (c) 2022 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%define         libname lib%{name}1
+Name:           virglrenderer
+Version:        0.9.1
+Release:        0
+Summary:        Virgl Rendering library
+License:        MIT
+Group:          Development/Libraries/C and C++
+URL:            https://virgil3d.github.io/
+Source0:        https://gitlab.freedesktop.org/virgl/%{name}/-/archive/%{name}-%{version}/%{name}-%{name}-%{version}.tar.gz
+# CVE-2022-0175 [bsc#1194601], VUL-0: CVE-2022-0175: virglrenderer: Missing initialization of res->ptr
+Patch0:         virglrenderer-CVE-2022-0175.patch
+# CVE-2022-0135 [bsc#1195389], VUL-0: CVE-2022-0135: virglrenderer: out-of-bounds write in read_transfer_data()
+Patch1:         virglrenderer-CVE-2022-0135.patch
+BuildRequires:  Mesa-devel
+BuildRequires:  meson >= 0.46
+BuildRequires:  pkgconfig >= 0.9.0
+BuildRequires:  python3-base
+BuildRequires:  pkgconfig(epoxy) >= 1.5.4
+BuildRequires:  pkgconfig(gbm) >= 18.0.0
+BuildRequires:  pkgconfig(libdrm) >= 2.4.50
+BuildRequires:  pkgconfig(x11)
+
+%description
+The virgil3d rendering library is a library used by
+qemu to implement 3D GPU support for the virtio GPU.
+
+%package -n %{libname}
+Summary:        Virgil3D renderer
+Group:          System/Libraries
+
+%description -n %{libname}
+The virgil3d rendering library is a library used by
+qemu to implement 3D GPU support for the virtio GPU.
+
+%package devel
+Summary:        Virgil3D renderer development files
+Group:          Development/Libraries/C and C++
+Requires:       %{libname} = %{version}
+
+%description devel
+The virgil3d rendering library is a library used by
+qemu to implement 3D GPU support for the virtio GPU.
+This package contains the virgil3d renderer development
+files.
+
+%package test-server
+Summary:        Virgil3D renderer development files
+Group:          Development/Libraries/C and C++
+Requires:       %{libname} = %{version}
+
+%description test-server
+The virgil3d rendering library is a library used by
+qemu to implement 3D GPU support for the virtio GPU.
+This package contains a server to test virgl rendering
+without GL.
+
+%prep
+%setup -q -n %{name}-%{name}-%{version}
+%patch0 -p1
+%patch1 -p1
+
+%build
+%meson
+%meson_build
+
+%install
+%meson_install
+
+%post -n %{libname} -p /sbin/ldconfig
+%postun -n %{libname} -p /sbin/ldconfig
+
+%files -n %{libname}
+%license COPYING
+%{_libdir}/lib*.so.*
+
+%files devel
+%dir %{_includedir}/virgl/
+%{_includedir}/virgl/*
+%{_libdir}/lib*.so
+%{_libdir}/pkgconfig/*.pc
+
+%files test-server
+%{_bindir}/virgl_test_server
+
+%changelog