From b0acf583952232f68d0491425f1aaf2bd54521e70122eb54b70506f934e122e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Sat, 4 May 2024 01:45:23 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main virglrenderer revision ec2084a60b6bccf0513a9a74683003ad --- .gitattributes | 23 +++ virglrenderer-CVE-2022-0135.patch | 77 +++++++++ virglrenderer-CVE-2022-0175.patch | 99 +++++++++++ virglrenderer-virglrenderer-0.9.1.tar.gz | 3 + virglrenderer.changes | 211 +++++++++++++++++++++++ virglrenderer.spec | 103 +++++++++++ 6 files changed, 516 insertions(+) create mode 100644 .gitattributes create mode 100644 virglrenderer-CVE-2022-0135.patch create mode 100644 virglrenderer-CVE-2022-0175.patch create mode 100644 virglrenderer-virglrenderer-0.9.1.tar.gz create mode 100644 virglrenderer.changes create mode 100644 virglrenderer.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/virglrenderer-CVE-2022-0135.patch b/virglrenderer-CVE-2022-0135.patch new file mode 100644 index 0000000..8460265 --- /dev/null +++ b/virglrenderer-CVE-2022-0135.patch @@ -0,0 +1,77 @@ +Index: virglrenderer-virglrenderer-0.9.1/src/vrend_renderer.c +=================================================================== +--- virglrenderer-virglrenderer-0.9.1.orig/src/vrend_renderer.c ++++ virglrenderer-virglrenderer-0.9.1/src/vrend_renderer.c +@@ -7568,8 +7568,11 @@ static int vrend_renderer_transfer_write + info->box->height) * elsize; + if (res->target == GL_TEXTURE_3D || + res->target == GL_TEXTURE_2D_ARRAY || ++ res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY || + res->target == GL_TEXTURE_CUBE_MAP_ARRAY) + send_size *= info->box->depth; ++ else if (need_temp && info->box->depth != 1) ++ return EINVAL; + + if (need_temp) { + data = malloc(send_size); +Index: virglrenderer-virglrenderer-0.9.1/tests/test_fuzzer_formats.c +=================================================================== +--- virglrenderer-virglrenderer-0.9.1.orig/tests/test_fuzzer_formats.c ++++ virglrenderer-virglrenderer-0.9.1/tests/test_fuzzer_formats.c +@@ -958,6 +958,48 @@ static void test_vrend_set_signle_abo_he + virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde); + } + ++/* Test adapted from yaojun8558363@gmail.com: ++ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250 ++ */ ++static void test_vrend_3d_resource_overflow() { ++ ++ struct virgl_renderer_resource_create_args resource; ++ resource.handle = 0x4c474572; ++ resource.target = PIPE_TEXTURE_2D_ARRAY; ++ resource.format = VIRGL_FORMAT_Z24X8_UNORM; ++ resource.nr_samples = 2; ++ resource.last_level = 0; ++ resource.array_size = 3; ++ resource.bind = VIRGL_BIND_SAMPLER_VIEW; ++ resource.depth = 1; ++ resource.width = 8; ++ resource.height = 4; ++ resource.flags = 0; ++ ++ virgl_renderer_resource_create(&resource, NULL, 0); ++ virgl_renderer_ctx_attach_resource(ctx_id, resource.handle); ++ ++ uint32_t size = 0x400; ++ uint32_t cmd[size]; ++ int i = 0; ++ cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE; ++ cmd[i++] = resource.handle; ++ cmd[i++] = 0; // level ++ cmd[i++] = 0; // usage ++ cmd[i++] = 0; // stride ++ cmd[i++] = 0; // layer_stride ++ cmd[i++] = 0; // x ++ cmd[i++] = 0; // y ++ cmd[i++] = 0; // z ++ cmd[i++] = 8; // w ++ cmd[i++] = 4; // h ++ cmd[i++] = 3; // d ++ memset(&cmd[i], 0, size - i); ++ ++ virgl_renderer_submit_cmd((void *) cmd, ctx_id, size); ++} ++ ++ + int main() + { + initialize_environment(); +@@ -980,6 +1022,7 @@ int main() + test_cs_nullpointer_deference(); + test_vrend_set_signle_abo_heap_overflow(); + ++ test_vrend_3d_resource_overflow(); + + virgl_renderer_context_destroy(ctx_id); + virgl_renderer_cleanup(&cookie); diff --git a/virglrenderer-CVE-2022-0175.patch b/virglrenderer-CVE-2022-0175.patch new file mode 100644 index 0000000..591c6a6 --- /dev/null +++ b/virglrenderer-CVE-2022-0175.patch @@ -0,0 +1,99 @@ +From b05bb61f454eeb8a85164c8a31510aeb9d79129c Mon Sep 17 00:00:00 2001 +From: Gert Wollny +Date: Tue, 30 Nov 2021 09:29:42 +0100 +Subject: [PATCH] vrend: clear memory when allocating a host-backed memory resource + +Closes: #249 + +Signed-off-by: Gert Wollny +Reviewed-by: Chia-I Wu +--- + src/vrend_renderer.c | 2 +- + tests/test_virgl_transfer.c | 51 +++++++++++++++++++++++++++++++++++++ + 2 files changed, 52 insertions(+), 1 deletion(-) + +diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c +index 53c52d07..28f66972 100644 +--- a/src/vrend_renderer.c ++++ b/src/vrend_renderer.c +@@ -7063,7 +7063,7 @@ vrend_resource_alloc_buffer(struct vrend_resource *gr, uint32_t flags) + if (bind == VIRGL_BIND_CUSTOM) { + /* use iovec directly when attached */ + gr->storage_bits |= VREND_STORAGE_HOST_SYSTEM_MEMORY; +- gr->ptr = malloc(size); ++ gr->ptr = calloc(1, size); + if (!gr->ptr) + return -ENOMEM; + } else if (bind == VIRGL_BIND_STAGING) { +diff --git a/tests/test_virgl_transfer.c b/tests/test_virgl_transfer.c +index bf7f4381..3c53c3df 100644 +--- a/tests/test_virgl_transfer.c ++++ b/tests/test_virgl_transfer.c +@@ -952,6 +952,56 @@ START_TEST(virgl_test_transfer_near_res_bounds_with_stride_succeeds) + } + END_TEST + ++START_TEST(test_vrend_host_backed_memory_no_data_leak) ++{ ++ struct iovec iovs[1]; ++ int niovs = 1; ++ ++ struct virgl_context ctx = {0}; ++ ++ int ret = testvirgl_init_ctx_cmdbuf(&ctx); ++ ++ struct virgl_renderer_resource_create_args res; ++ res.handle = 0x400; ++ res.target = PIPE_BUFFER; ++ res.format = VIRGL_FORMAT_R8_UNORM; ++ res.nr_samples = 0; ++ res.last_level = 0; ++ res.array_size = 1; ++ res.bind = VIRGL_BIND_CUSTOM; ++ res.depth = 1; ++ res.width = 32; ++ res.height = 1; ++ res.flags = 0; ++ ++ uint32_t size = 32; ++ uint8_t* data = calloc(1, size); ++ memset(data, 1, 32); ++ iovs[0].iov_base = data; ++ iovs[0].iov_len = size; ++ ++ struct pipe_box box = {0,0,0, size, 1,1}; ++ ++ virgl_renderer_resource_create(&res, NULL, 0); ++ virgl_renderer_ctx_attach_resource(ctx.ctx_id, res.handle); ++ ++ ret = virgl_renderer_transfer_read_iov(res.handle, ctx.ctx_id, 0, 0, 0, ++ (struct virgl_box *)&box, 0, iovs, niovs); ++ ++ ck_assert_int_eq(ret, 0); ++ ++ for (int i = 0; i < 32; ++i) ++ ck_assert_int_eq(data[i], 0); ++ ++ virgl_renderer_ctx_detach_resource(1, res.handle); ++ ++ virgl_renderer_resource_unref(res.handle); ++ free(data); ++ ++} ++END_TEST ++ ++ + static Suite *virgl_init_suite(void) + { + Suite *s; +@@ -981,6 +1031,7 @@ static Suite *virgl_init_suite(void) + tcase_add_test(tc_core, virgl_test_transfer_buffer_bad_strides); + tcase_add_test(tc_core, virgl_test_transfer_2d_array_bad_layer_stride); + tcase_add_test(tc_core, virgl_test_transfer_2d_bad_level); ++ tcase_add_test(tc_core, test_vrend_host_backed_memory_no_data_leak); + + tcase_add_loop_test(tc_core, virgl_test_transfer_res_read_valid, 0, PIPE_MAX_TEXTURE_TYPES); + tcase_add_loop_test(tc_core, virgl_test_transfer_res_write_valid, 0, PIPE_MAX_TEXTURE_TYPES); +-- +GitLab + diff --git a/virglrenderer-virglrenderer-0.9.1.tar.gz b/virglrenderer-virglrenderer-0.9.1.tar.gz new file mode 100644 index 0000000..3247c96 --- /dev/null +++ b/virglrenderer-virglrenderer-0.9.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dd4a8008ca7bcaaf56666c94fcd738d705cdeda6313a82b3cea78bc3fb1b1ba5 +size 2945799 diff --git a/virglrenderer.changes b/virglrenderer.changes new file mode 100644 index 0000000..7687d36 --- /dev/null +++ b/virglrenderer.changes @@ -0,0 +1,211 @@ +------------------------------------------------------------------- +Wed Feb 2 09:33:17 UTC 2022 - Michael Vetter + +- security update + * Fix OOB in read_transfer_data() (CVE-2022-0135 bsc#1195389) + Add virglrenderer-CVE-2022-0135.patch + +------------------------------------------------------------------- +Fri Jan 21 10:45:13 UTC 2022 - Dario Faggioli + +- Pick up the full upstream patch for bsc#1194601, so we know from where it comes + * No functional change intended + +------------------------------------------------------------------- +Mon Jan 17 07:47:07 UTC 2022 - pgajdos@suse.com + +- security update +- added patches + fix CVE-2022-0175 [bsc#1194601], VUL-0: CVE-2022-0175: virglrenderer: Missing initialization of res->ptr + + virglrenderer-CVE-2022-0175.patch + +------------------------------------------------------------------- +Thu Apr 29 07:31:09 UTC 2021 - Martin Pluskal + +- Update to version 0.9.1: + * Various small bugfixes + +------------------------------------------------------------------- +Sun Apr 4 13:50:58 UTC 2021 - Bruce Rogers + +- Update package to 0.9.0 + Highlights include: + + multi-client support + + supports newer glsl version + + add ETC2 compressed formats + + performance improvements + + misc. bug fixes + +------------------------------------------------------------------- +Wed Feb 12 14:47:31 UTC 2020 - Bruce Rogers + +- Update package to 0.8.2 + Release is all bug fixes it seems. It includes these patches in + the release tarball: + vrend-Don-t-free-resource-struct-in-_resource_alloca.patch + vrend-Don-t-try-launching-a-grid-if-no-CS-is-availab.patch + vrend-Use-the-original-context-to-delete-objects.patch + vrend-Don-t-switch-to-ctx0-when-deleting-ctx0.patch + +------------------------------------------------------------------- +Tue Feb 4 15:46:04 UTC 2020 - Bruce Rogers + +- Avoid potential DoS in texture allocation (CVE-2020-8003 + boo#1162521) + vrend-Don-t-free-resource-struct-in-_resource_alloca.patch +- Avoid potential DoS if grid launched without prior Compute Shader + (CVE-2020-8002 boo#1162519) + vrend-Don-t-try-launching-a-grid-if-no-CS-is-availab.patch +- Avoid deleting wrong object, in use by others + vrend-Use-the-original-context-to-delete-objects.patch +- Avoid potential use after free when deleting context + vrend-Don-t-switch-to-ctx0-when-deleting-ctx0.patch + +------------------------------------------------------------------- +Mon Jan 6 16:57:48 UTC 2020 - Bruce Rogers + +- Update package to 0.8.1 + Requires very recent libepoxy, which is currently only available + in Factory. Accordingly also switch to meson build, which also + excludes older releases. + Other highlights include: + + support emulating planar image sampling + + Add all formats to VIRGL_FORMAT that are referenced in Gallium + + deprecation of the autotools build system + + miscellaneous bug and performance fixes + + drop the following patches, which are included in this release: + 0001-5d03711-vrend-Keep-the-max-texture-sizes-in-the-vrend_state.patch + 0002-0d9a2c8-vrend-Check-resource-creation-more-thoroughly.patch + 0003-24f67de-vrend-check-info-formats-in-blits.patch + 0004-cbc8d8b-vrend-check-transfer-bounds-for-negative-values-too-.patch + 0005-2abeb18-vrend-check-that-the-transfer-iov-holds-enough-data-.patch + 0006-164d758-vrend-Add-an-assert-for-allocating-the-intermediate-.patch + +------------------------------------------------------------------- +Mon Dec 23 05:33:34 UTC 2019 - lma@suse.com + +- Add 5 security fixes +* Check resource creation more thoroughly (CVE-2019-18388 bsc#1159479) + 0001-5d03711-vrend-Keep-the-max-texture-sizes-in-the-vrend_state.patch + 0002-0d9a2c8-vrend-Check-resource-creation-more-thoroughly.patch + +* check info formats in blits (CVE-2019-18390 bsc#1159478) + 0003-24f67de-vrend-check-info-formats-in-blits.patch + +* check transfer bounds for negative values too (CVE-2019-18389 bsc#1159482) + 0004-cbc8d8b-vrend-check-transfer-bounds-for-negative-values-too-.patch + +* check transfer iov holds enough data for the data upload (CVE-2019-18391 bsc#1159486) + 0005-2abeb18-vrend-check-that-the-transfer-iov-holds-enough-data-.patch + +* Add an assert for allocating the intermediate texture (CVE-2019-18392 bsc#1159454) + 0006-164d758-vrend-Add-an-assert-for-allocating-the-intermediate-.patch + +------------------------------------------------------------------- +Tue Nov 26 21:42:29 UTC 2019 - Bruce Rogers + +- Update package to 0.8.0 + Note: not switching to meson build system yet since it would + exclude distos with older meson (seems meson v0.49+ is required) + Highlights include: + + guest support for GL 4.3 on hosts with GLES 3.2 + certain + extensions, + + major performance improvements, and + + lots of bug fixes. +- The shared object (SO) version changes from 0 to 1 with this + package update + +------------------------------------------------------------------- +Wed Sep 19 11:52:37 UTC 2018 - minava@t-online.de + +- Update package to 0.7.0 +- Brings the renderer up to GL4.3/GLES3.1 capability and most of GLES3.2 +- Make EGL optional at configure time +- The following patches will be removed: + 0001-737c3350-renderer-fix-memory-leak-in-vertex-elements-state-cr.patch + 0002-1fdafd62-vrend-Increase-VREND_MAX_CTX-to-64.patch + They are included in 0.7.0 + + +------------------------------------------------------------------- +Thu Jul 26 16:13:35 CEST 2018 - vliaskovitis@suse.com + +- vrend: Increase VREND_MAX_CTX to 64. (bsc#1102749) + 0002-1fdafd62-vrend-Increase-VREND_MAX_CTX-to-64.patch + +------------------------------------------------------------------- +Wed Nov 1 15:32:54 UTC 2017 - mpluskal@suse.com + +- Clean up spec file with spec-cleaner +- Use source url +- Add gpg signature +- Make building more verbose +- Explicitly require python2 + +------------------------------------------------------------------- +Fri Mar 10 04:22:11 UTC 2017 - lma@suse.com + +- Fix memory leak in vertex elements state create (CVE-2017-6386 bsc#1027376) + 0001-737c3350-renderer-fix-memory-leak-in-vertex-elements-state-cr.patch + +------------------------------------------------------------------- +Thu Mar 2 09:24:22 UTC 2017 - jengelh@inai.de + +- Fix RPM groups + +------------------------------------------------------------------- +Fri Feb 24 09:03:26 UTC 2017 - lma@suse.com + +- Update package to 0.6.0 + The following patches will be removed: + 0001-48f67f60-renderer-fix-NULL-pointer-deref-in-vrend_clear.patch + 0002-40b0e781-renderer-fix-a-leak-in-resource-attach.patch + 0003-6eb13f7a-vrend-fix-memory-leak-in-int-blit-context.patch + 0004-114688c5-renderer-fix-heap-overflow-in-vertex-elements-state-.patch + 0005-926b9b34-vrend-fix-a-stack-overflow-in-set-framebuffer-state.patch + + All of the removed patches were already included in 0.6.0, + So we dont need them any more. + +------------------------------------------------------------------- +Fri Feb 17 11:20:43 UTC 2017 - lma@suse.com + +- Address various security issues +* Fix null pointer dereference in vrend_clear (CVE-2017-5937 bsc#1024232) + 0001-48f67f60-renderer-fix-NULL-pointer-deref-in-vrend_clear.patch +* Fix host memory leak issue in virgl_resource_attach_backing (CVE-2016-10214 bsc#1024244) + 0002-40b0e781-renderer-fix-a-leak-in-resource-attach.patch +* Fix memory leak in int blit context (CVE-2017-5993 bsc#1025505) + 0003-6eb13f7a-vrend-fix-memory-leak-in-int-blit-context.patch +* Fix heap overflow in vertex elements state create (CVE-2017-5994 bsc#1025507) + 0004-114688c5-renderer-fix-heap-overflow-in-vertex-elements-state-.patch +* Fix a stack overflow in set framebuffer state (CVE-2017-5957 bsc#1024993) + 0005-926b9b34-vrend-fix-a-stack-overflow-in-set-framebuffer-state.patch + +------------------------------------------------------------------- +Fri Jun 3 16:35:39 UTC 2016 - brogers@suse.com + +- Further tweaks to package layout, including splitting out + the test server into it's own package. + +------------------------------------------------------------------- +Wed Jun 1 11:01:38 UTC 2016 - brogers@suse.com + +- Refine BuildRequires tags + +------------------------------------------------------------------- +Thu Apr 14 02:45:57 UTC 2016 - brogers@suse.com + +- Fixed url in spec file + +------------------------------------------------------------------- +Wed Apr 13 06:15:29 UTC 2016 - lma@suse.com + +- Fixed epoxy dependency + +------------------------------------------------------------------- +Tue Apr 12 07:44:05 UTC 2016 - lma@suse.com + +- Initial package, based upon virglrenderer upstream sources + (git tag: 0.5.0) + diff --git a/virglrenderer.spec b/virglrenderer.spec new file mode 100644 index 0000000..27d2b4b --- /dev/null +++ b/virglrenderer.spec @@ -0,0 +1,103 @@ +# +# spec file for package virglrenderer +# +# Copyright (c) 2022 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define libname lib%{name}1 +Name: virglrenderer +Version: 0.9.1 +Release: 0 +Summary: Virgl Rendering library +License: MIT +Group: Development/Libraries/C and C++ +URL: https://virgil3d.github.io/ +Source0: https://gitlab.freedesktop.org/virgl/%{name}/-/archive/%{name}-%{version}/%{name}-%{name}-%{version}.tar.gz +# CVE-2022-0175 [bsc#1194601], VUL-0: CVE-2022-0175: virglrenderer: Missing initialization of res->ptr +Patch0: virglrenderer-CVE-2022-0175.patch +# CVE-2022-0135 [bsc#1195389], VUL-0: CVE-2022-0135: virglrenderer: out-of-bounds write in read_transfer_data() +Patch1: virglrenderer-CVE-2022-0135.patch +BuildRequires: Mesa-devel +BuildRequires: meson >= 0.46 +BuildRequires: pkgconfig >= 0.9.0 +BuildRequires: python3-base +BuildRequires: pkgconfig(epoxy) >= 1.5.4 +BuildRequires: pkgconfig(gbm) >= 18.0.0 +BuildRequires: pkgconfig(libdrm) >= 2.4.50 +BuildRequires: pkgconfig(x11) + +%description +The virgil3d rendering library is a library used by +qemu to implement 3D GPU support for the virtio GPU. + +%package -n %{libname} +Summary: Virgil3D renderer +Group: System/Libraries + +%description -n %{libname} +The virgil3d rendering library is a library used by +qemu to implement 3D GPU support for the virtio GPU. + +%package devel +Summary: Virgil3D renderer development files +Group: Development/Libraries/C and C++ +Requires: %{libname} = %{version} + +%description devel +The virgil3d rendering library is a library used by +qemu to implement 3D GPU support for the virtio GPU. +This package contains the virgil3d renderer development +files. + +%package test-server +Summary: Virgil3D renderer development files +Group: Development/Libraries/C and C++ +Requires: %{libname} = %{version} + +%description test-server +The virgil3d rendering library is a library used by +qemu to implement 3D GPU support for the virtio GPU. +This package contains a server to test virgl rendering +without GL. + +%prep +%setup -q -n %{name}-%{name}-%{version} +%patch0 -p1 +%patch1 -p1 + +%build +%meson +%meson_build + +%install +%meson_install + +%post -n %{libname} -p /sbin/ldconfig +%postun -n %{libname} -p /sbin/ldconfig + +%files -n %{libname} +%license COPYING +%{_libdir}/lib*.so.* + +%files devel +%dir %{_includedir}/virgl/ +%{_includedir}/virgl/* +%{_libdir}/lib*.so +%{_libdir}/pkgconfig/*.pc + +%files test-server +%{_bindir}/virgl_test_server + +%changelog