Bug#1025700: marked as done (bullseye-pu: package virglrenderer/0.8.2-5+deb11u1)

Debian Bug Tracking System Sat, 17 Dec 2022 03:11:22 -0800

Your message dated Sat, 17 Dec 2022 10:57:10 +0000
with message-id 
<03e9b90cf2f149b9e2835590c9ec0ccb048b744d.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 11.6
has caused the Debian Bug report #1025700,
regarding bullseye-pu: package virglrenderer/0.8.2-5+deb11u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1025700: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025700
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu
X-Debbugs-Cc: Gert Wollny <[email protected]>

(CC'ing Gert Wollny <[email protected]> as maintainer of virglrenderer so he is 
aware)

[ Reason ]

I'm currently preparing a security update for virglrenderer for LTS
and figured out that there is one of the fixed CVEs is not adressed in bullseye
yet.

The CVE fixed is CVE-2022-0135: (#1009073)

To have this CVE also fixed in bullseye, I'm asking for permission to upload a
targeted fix for the next stable point release.

The changes are on this branch:
https://salsa.debian.org/debian/virglrenderer/-/tree/debian/bullseye
namely adding this patch:
https://salsa.debian.org/debian/virglrenderer/-/blob/debian/bullseye/debian/patches/CVE-2022-0135.patch


[ Impact ]
The description of CVE-2022-0135 is:
 An out-of-bounds write issue was found in the VirGL virtual OpenGL renderer
 (virglrenderer). This flaw allows a malicious guest to create a specially
 crafted virgil resource and then issue a VIRTGPU_EXECBUFFER ioctl, leading to a
 denial of service or possible code execution.

[ Tests ]

Upstream provides a unit-text which covers this CVE.

[ Risks ]

The patch is taken from upstream:
https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

-- 
tobi

diff -Nru virglrenderer-0.8.2/debian/changelog 
virglrenderer-0.8.2/debian/changelog
--- virglrenderer-0.8.2/debian/changelog        2020-12-07 13:38:41.000000000 
+0100
+++ virglrenderer-0.8.2/debian/changelog        2022-12-07 17:24:59.000000000 
+0100
@@ -1,3 +1,10 @@
+virglrenderer (0.8.2-5+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload by the LTS Security Team.
+  * Cherry-pick upstream fix for CVE-2022-0135. (Closes: #1009073)
+
+ -- Tobias Frost <[email protected]>  Wed, 07 Dec 2022 17:24:59 +0100
+
 virglrenderer (0.8.2-5) unstable; urgency=medium
 
   [ Christian Ehrhardt ]
diff -Nru virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch 
virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch
--- virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch      1970-01-01 
01:00:00.000000000 +0100
+++ virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch      2022-12-07 
17:24:59.000000000 +0100
@@ -0,0 +1,83 @@
+Description: CVE-2022-0135
+ An out-of-bounds write issue was found in the VirGL virtual OpenGL
+ renderer (virglrenderer). This flaw allows a malicious guest to create a
+ specially crafted virgil resource and then issue a VIRTGPU_EXECBUFFER ioctl,
+ leading to a denial of service or possible code execution.  
+Origin: 
https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009073
+Last-Update: 2022-12-05 <YYYY-MM-DD, last update of the meta-information, 
optional>
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/vrend_renderer.c
++++ b/src/vrend_renderer.c
+@@ -7097,8 +7097,11 @@
+                                           info->box->height) * elsize;
+       if (res->target == GL_TEXTURE_3D ||
+           res->target == GL_TEXTURE_2D_ARRAY ||
++          res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY ||
+           res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
+           send_size *= info->box->depth;
++      else if (need_temp && info->box->depth != 1)
++         return EINVAL;
+ 
+       if (need_temp) {
+          data = malloc(send_size);
+--- a/tests/test_fuzzer_formats.c
++++ b/tests/test_fuzzer_formats.c
+@@ -958,6 +958,48 @@
+     virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
+ }
+ 
++/* Test adapted from [email protected]:
++ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250
++*/
++static void test_vrend_3d_resource_overflow() {
++
++    struct virgl_renderer_resource_create_args resource;
++    resource.handle = 0x4c474572;
++    resource.target = PIPE_TEXTURE_2D_ARRAY;
++    resource.format = VIRGL_FORMAT_Z24X8_UNORM;
++    resource.nr_samples = 2;
++    resource.last_level = 0;
++    resource.array_size = 3;
++    resource.bind = VIRGL_BIND_SAMPLER_VIEW;
++    resource.depth = 1;
++    resource.width = 8;
++    resource.height = 4;
++    resource.flags = 0;
++
++    virgl_renderer_resource_create(&resource, NULL, 0);
++    virgl_renderer_ctx_attach_resource(ctx_id, resource.handle);
++
++    uint32_t size = 0x400;
++    uint32_t cmd[size];
++    int i = 0;
++    cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE;
++    cmd[i++] = resource.handle;
++    cmd[i++] = 0; // level
++    cmd[i++] = 0; // usage
++    cmd[i++] = 0; // stride
++    cmd[i++] = 0; // layer_stride
++    cmd[i++] = 0; // x
++    cmd[i++] = 0; // y
++    cmd[i++] = 0; // z
++    cmd[i++] = 8; // w
++    cmd[i++] = 4; // h
++    cmd[i++] = 3; // d
++    memset(&cmd[i], 0, size - i);
++
++    virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
++}
++
++
+ int main()
+ {
+    initialize_environment();
+@@ -980,6 +1022,7 @@
+    test_cs_nullpointer_deference();
+    test_vrend_set_signle_abo_heap_overflow();
+ 
++   test_vrend_3d_resource_overflow();
+ 
+    virgl_renderer_context_destroy(ctx_id);
+    virgl_renderer_cleanup(&cookie);
diff -Nru virglrenderer-0.8.2/debian/patches/series 
virglrenderer-0.8.2/debian/patches/series
--- virglrenderer-0.8.2/debian/patches/series   1970-01-01 01:00:00.000000000 
+0100
+++ virglrenderer-0.8.2/debian/patches/series   2022-12-07 17:24:59.000000000 
+0100
@@ -0,0 +1 @@
+CVE-2022-0135.patch

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 11.6

Hi,

Each of the updates referred to in these requests was included in this
morning's 11.6 point release.

Regards,

Adam

--- End Message ---

Bug#1025700: marked as done (bullseye-pu: package virglrenderer/0.8.2-5+deb11u1)

Reply via email to