Your message dated Sat, 11 Jul 2026 10:32:48 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1140473,
regarding trixie-pu: package mesa/25.0.7-2+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1140473: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140473
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:mesa
User: [email protected]
Usertags: pu

Hi,

as part of LTS I was working on fixing CVE-2026-40393,
a out-of-bounds memory access vulnerabilty [1].

The upstream patch are these two commits:
https://gitlab.freedesktop.org/mesa/mesa/-/commit/978fd42b4b7d1e9c0435ffa7e1a4d339cba9b76e
 (mesa-26.0.1)
https://gitlab.freedesktop.org/mesa/mesa/-/commit/45ce75f3bcd638dcf7daae09f9bf0b7c015b81c4
 (mesa-26.0.1)
The patches mostly applied cleanly -- only .pick_status.json and the
include sections of the patches needed rework, as the set of includes
were different at the trixie version. 

Additionally, the helper-macro STACK_ARRAY had to be backported.
(Technically this macro exists already in another file in the version in trixie,
in the file src/vulkan/util/vk_util.h, however, I've choosen to have it
in a dedicated file as the vk_util.h pulls in a lots of extra stuff by
it's includes)

I've tested the patches in a trixie VM; mesa's test suite is happy too
and I've also (as upstream suggested) tested the patches with piglit
[2], also happy. (upstream suggests dEQP, however, I couldn't get this
working at all.)

I've reached out the the mesa maintainers for an RFC, hoewever, I didn't
get any response.

The maintainers git repo had also a commit targeting #1116427 authored
by josch. I've choosen not to apply that patch and have a CVE-dediated
update (I can't test on ARM Mali G52 arch, I don't have the hardware)


[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

I'll also propose a update for bookworm to mitigate this CVE.

[1] https://deb.freexian.com/extended-lts/tracker/CVE-2026-40393
[2] https://docs.mesa3d.org/submittingpatches.html#testing-patches

-- 
tobi
diff -Nru mesa-25.0.7/debian/changelog mesa-25.0.7/debian/changelog
--- mesa-25.0.7/debian/changelog        2025-06-17 11:07:43.000000000 +0200
+++ mesa-25.0.7/debian/changelog        2026-06-19 21:20:06.000000000 +0200
@@ -1,3 +1,12 @@
+mesa (25.0.7-2+deb13u1) trixie; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * Backport patch for CVE-2026-40393:
+    - backport support function STACK_ARRAY, cherry-pick file from upstream.
+    - backport commits fixing the issue
+
+ -- Tobias Frost <[email protected]>  Fri, 19 Jun 2026 21:20:06 +0200
+
 mesa (25.0.7-2) unstable; urgency=medium
 
   * patches: Revert a commit to fix mobian vm's. (Closes: #1107895)
diff -Nru mesa-25.0.7/debian/patches/backport_STACK_ARRAY.patch 
mesa-25.0.7/debian/patches/backport_STACK_ARRAY.patch
--- mesa-25.0.7/debian/patches/backport_STACK_ARRAY.patch       1970-01-01 
01:00:00.000000000 +0100
+++ mesa-25.0.7/debian/patches/backport_STACK_ARRAY.patch       2026-06-19 
21:20:06.000000000 +0200
@@ -0,0 +1,54 @@
+Description: backport macro STACK_ARRAY, needed for fix for CVE-226-40393
+Origin: 
https://gitlab.freedesktop.org/mesa/mesa/-/blob/f43cff3728e58c377d1e03b13db62514217abfe1/src/util/stack_array.h
+Forwarded: not-needed
+Last-Update: 2026-05-25 <YYYY-MM-DD, last update of the meta-information, 
optional>
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- /dev/null
++++ b/src/util/stack_array.h
+@@ -0,0 +1,45 @@
++/*
++ * Copyright © 2025 Collabora, Ltd.
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a
++ * copy of this software and associated documentation files (the "Software"),
++ * to deal in the Software without restriction, including without limitation
++ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
++ * and/or sell copies of the Software, and to permit persons to whom the
++ * Software is furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice (including the next
++ * paragraph) shall be included in all copies or substantial portions of the
++ * Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 
DEALINGS
++ * IN THE SOFTWARE.
++ */
++
++#include <stdlib.h>
++
++#ifndef UTIL_STACK_ARRAY_H
++#define UTIL_STACK_ARRAY_H
++
++#define STACK_ARRAY_SIZE 8
++
++/* Sometimes gcc may claim -Wmaybe-uninitialized for the stack array in some
++ * places it can't verify that when size is 0 nobody down the call chain reads
++ * the array. Please don't try to fix it by zero-initializing the array here
++ * since it's used in a lot of different places. An "if (size == 0) return;"
++ * may work for you.
++ */
++#define STACK_ARRAY(type, name, size) \
++   type _stack_##name[STACK_ARRAY_SIZE]; \
++   type *const name = \
++     ((size) <= STACK_ARRAY_SIZE ? _stack_##name : (type *)malloc((size) * 
sizeof(type)))
++
++#define STACK_ARRAY_FINISH(name) \
++   if (name != _stack_##name) free(name)
++
++#endif /* UTIL_STACK_ARRAY_H */
diff -Nru mesa-25.0.7/debian/patches/CVE-2026-40393-part1.patch 
mesa-25.0.7/debian/patches/CVE-2026-40393-part1.patch
--- mesa-25.0.7/debian/patches/CVE-2026-40393-part1.patch       1970-01-01 
01:00:00.000000000 +0100
+++ mesa-25.0.7/debian/patches/CVE-2026-40393-part1.patch       2026-06-19 
21:20:06.000000000 +0200
@@ -0,0 +1,101 @@
+Description: CVE-2026-40393 part 1 - out-of-bounds memory access in WebGPU
+Origin: 
https://gitlab.freedesktop.org/mesa/mesa/-/commit/978fd42b4b7d1e9c0435ffa7e1a4d339cba9b76e
+
+From 978fd42b4b7d1e9c0435ffa7e1a4d339cba9b76e Mon Sep 17 00:00:00 2001
+From: Ian Romanick <[email protected]>
+Date: Fri, 23 Jan 2026 09:58:26 -0800
+Subject: [PATCH] spirv: Use STACK_ARRAY instead of NIR_VLA
+
+The number of fields comes from the shader, so it could be a value large
+enough that using alloca would be problematic.
+
+Fixes: 2a023f30a64 ("nir/spirv: Add basic support for types")
+Reviewed-by: Caio Oliveira <[email protected]>
+Reviewed-by: Ryan Neph <[email protected]>
+Reviewed-by: Lionel Landwerlin <[email protected]>
+(cherry picked from commit 3da828d2dd12e20ba2afc152db8d7236c7a48c13)
+
+Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/40092>
+---
+ .pick_status.json                 |  2 +-
+ src/compiler/spirv/spirv_to_nir.c | 27 +++++++++++++++++----------
+ 2 files changed, 18 insertions(+), 11 deletions(-)
+
+--- a/src/compiler/spirv/spirv_to_nir.c
++++ b/src/compiler/spirv/spirv_to_nir.c
+@@ -27,7 +27,6 @@
+ 
+ #include "glsl_types.h"
+ #include "vtn_private.h"
+-#include "nir/nir_vla.h"
+ #include "nir/nir_control_flow.h"
+ #include "nir/nir_constant_expressions.h"
+ #include "nir/nir_deref.h"
+@@ -38,6 +37,7 @@
+ #include "util/u_string.h"
+ #include "util/u_debug.h"
+ #include "util/mesa-blake3.h"
++#include "util/stack_array.h"
+ 
+ #include <stdio.h>
+ 
+@@ -1228,7 +1228,7 @@
+       case vtn_base_type_struct: {
+          bool need_new_struct = false;
+          const uint32_t num_fields = type->length;
+-         NIR_VLA(struct glsl_struct_field, fields, num_fields);
++         STACK_ARRAY(struct glsl_struct_field, fields, num_fields);
+          for (unsigned i = 0; i < num_fields; i++) {
+             fields[i] = *glsl_get_struct_field_data(type->type, i);
+             const struct glsl_type *field_nir_type =
+@@ -1238,20 +1238,25 @@
+                need_new_struct = true;
+             }
+          }
++
++         const struct glsl_type *result;
+          if (need_new_struct) {
+             if (glsl_type_is_interface(type->type)) {
+-               return glsl_interface_type(fields, num_fields,
+-                                          /* packing */ 0, false,
+-                                          glsl_get_type_name(type->type));
++               result = glsl_interface_type(fields, num_fields,
++                                            /* packing */ 0, false,
++                                            glsl_get_type_name(type->type));
+             } else {
+-               return glsl_struct_type(fields, num_fields,
+-                                       glsl_get_type_name(type->type),
+-                                       
glsl_struct_type_is_packed(type->type));
++               result = glsl_struct_type(fields, num_fields,
++                                         glsl_get_type_name(type->type),
++                                         
glsl_struct_type_is_packed(type->type));
+             }
+          } else {
+             /* No changes, just pass it on */
+-            return type->type;
++            result = type->type;
+          }
++
++         STACK_ARRAY_FINISH(fields);
++         return result;
+       }
+ 
+       case vtn_base_type_image:
+@@ -1868,7 +1873,7 @@
+       val->type->offsets = vtn_alloc_array(b, unsigned, num_fields);
+       val->type->packed = false;
+ 
+-      NIR_VLA(struct glsl_struct_field, fields, count);
++      STACK_ARRAY(struct glsl_struct_field, fields, count);
+       for (unsigned i = 0; i < num_fields; i++) {
+          val->type->members[i] = vtn_get_type(b, w[i + 2]);
+          const char *name = NULL;
+@@ -1924,6 +1929,8 @@
+                                             name ? name : "struct",
+                                             val->type->packed);
+       }
++
++      STACK_ARRAY_FINISH(fields);
+       break;
+    }
+ 
diff -Nru mesa-25.0.7/debian/patches/CVE-2026-40393-part2.patch 
mesa-25.0.7/debian/patches/CVE-2026-40393-part2.patch
--- mesa-25.0.7/debian/patches/CVE-2026-40393-part2.patch       1970-01-01 
01:00:00.000000000 +0100
+++ mesa-25.0.7/debian/patches/CVE-2026-40393-part2.patch       2026-06-19 
21:20:06.000000000 +0200
@@ -0,0 +1,51 @@
+Description: CVE-2026-40393 part 2 - out-of-bounds memory access in WebGPU
+Origin: 
https://gitlab.freedesktop.org/mesa/mesa/-/commit/978fd42b4b7d1e9c0435ffa7e1a4d339cba9b76e
+
+From 45ce75f3bcd638dcf7daae09f9bf0b7c015b81c4 Mon Sep 17 00:00:00 2001
+From: Ian Romanick <[email protected]>
+Date: Fri, 23 Jan 2026 10:07:27 -0800
+Subject: [PATCH] nir: Use STACK_ARRAY instead of NIR_VLA
+
+The number of fields comes from the shader, so it could be a value large
+enough that using alloca would be problematic.
+
+Fixes: c11833ab24d ("nir,spirv: Rework function calls")
+Reviewed-by: Caio Oliveira <[email protected]>
+Reviewed-by: Ryan Neph <[email protected]>
+Reviewed-by: Lionel Landwerlin <[email protected]>
+(cherry picked from commit 9017d37e84771f921a63676dd8b955df9ef20f29)
+
+Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/40092>
+---
+ .pick_status.json                | 2 +-
+ src/compiler/nir/nir_functions.c | 5 +++--
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+--- a/src/compiler/nir/nir_functions.c
++++ b/src/compiler/nir/nir_functions.c
+@@ -22,9 +22,9 @@
+  */
+ 
+ #include "nir.h"
++#include "util/stack_array.h"
+ #include "nir_builder.h"
+ #include "nir_control_flow.h"
+-#include "nir_vla.h"
+ 
+ /*
+  * TODO: write a proper inliner for GPUs.
+@@ -228,12 +228,13 @@
+     * to an SSA value first.
+     */
+    const unsigned num_params = call->num_params;
+-   NIR_VLA(nir_def *, params, num_params);
++   STACK_ARRAY(nir_def *, params, num_params);
+    for (unsigned i = 0; i < num_params; i++) {
+       params[i] = call->params[i].ssa;
+    }
+ 
+    nir_inline_function_impl(b, call->callee->impl, params, NULL);
++   STACK_ARRAY_FINISH(params);
+    return true;
+ }
+ 
diff -Nru mesa-25.0.7/debian/patches/series mesa-25.0.7/debian/patches/series
--- mesa-25.0.7/debian/patches/series   2025-06-17 09:05:41.000000000 +0200
+++ mesa-25.0.7/debian/patches/series   2026-06-19 21:20:06.000000000 +0200
@@ -4,3 +4,6 @@
 etnaviv-add-support-for-texelfetch.patch
 Revert-hasvk-elk-stop-turning-load_push_constants-in.patch
 kopper-Revert-kopper-Explicitly-choose-zink.patch
+backport_STACK_ARRAY.patch
+CVE-2026-40393-part1.patch
+CVE-2026-40393-part2.patch

--- End Message ---
--- Begin Message ---
Version: 13.6

This update was released as part of 13.6.

--- End Message ---

Reply via email to