Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:mesa User: [email protected] Usertags: pu
Hi, as part of LTS I was working on fixing CVE-2026-40393, a out-of-bounds memory access vulnerabilty [1]. The upstream patch are these two commits: https://gitlab.freedesktop.org/mesa/mesa/-/commit/978fd42b4b7d1e9c0435ffa7e1a4d339cba9b76e (mesa-26.0.1) https://gitlab.freedesktop.org/mesa/mesa/-/commit/45ce75f3bcd638dcf7daae09f9bf0b7c015b81c4 (mesa-26.0.1) The patches mostly applied cleanly -- only .pick_status.json and the include sections of the patches needed rework, as the set of includes were different at the trixie version. Additionally, the helper-macro STACK_ARRAY had to be backported. (Technically this macro exists already in another file in the version in trixie, in the file src/vulkan/util/vk_util.h, however, I've choosen to have it in a dedicated file as the vk_util.h pulls in a lots of extra stuff by it's includes) I've tested the patches in a trixie VM; mesa's test suite is happy too and I've also (as upstream suggested) tested the patches with piglit [2], also happy. (upstream suggests dEQP, however, I couldn't get this working at all.) I've reached out the the mesa maintainers for an RFC, hoewever, I didn't get any response. The maintainers git repo had also a commit targeting #1116427 authored by josch. I've choosen not to apply that patch and have a CVE-dediated update (I can't test on ARM Mali G52 arch, I don't have the hardware) [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable I'll also propose a update for bookworm to mitigate this CVE. [1] https://deb.freexian.com/extended-lts/tracker/CVE-2026-40393 [2] https://docs.mesa3d.org/submittingpatches.html#testing-patches -- tobi
diff -Nru mesa-25.0.7/debian/changelog mesa-25.0.7/debian/changelog --- mesa-25.0.7/debian/changelog 2025-06-17 11:07:43.000000000 +0200 +++ mesa-25.0.7/debian/changelog 2026-06-19 21:20:06.000000000 +0200 @@ -1,3 +1,12 @@ +mesa (25.0.7-2+deb13u1) trixie; urgency=high + + * Non-maintainer upload by the LTS Team. + * Backport patch for CVE-2026-40393: + - backport support function STACK_ARRAY, cherry-pick file from upstream. + - backport commits fixing the issue + + -- Tobias Frost <[email protected]> Fri, 19 Jun 2026 21:20:06 +0200 + mesa (25.0.7-2) unstable; urgency=medium * patches: Revert a commit to fix mobian vm's. (Closes: #1107895) diff -Nru mesa-25.0.7/debian/patches/backport_STACK_ARRAY.patch mesa-25.0.7/debian/patches/backport_STACK_ARRAY.patch --- mesa-25.0.7/debian/patches/backport_STACK_ARRAY.patch 1970-01-01 01:00:00.000000000 +0100 +++ mesa-25.0.7/debian/patches/backport_STACK_ARRAY.patch 2026-06-19 21:20:06.000000000 +0200 @@ -0,0 +1,54 @@ +Description: backport macro STACK_ARRAY, needed for fix for CVE-226-40393 +Origin: https://gitlab.freedesktop.org/mesa/mesa/-/blob/f43cff3728e58c377d1e03b13db62514217abfe1/src/util/stack_array.h +Forwarded: not-needed +Last-Update: 2026-05-25 <YYYY-MM-DD, last update of the meta-information, optional> +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- /dev/null ++++ b/src/util/stack_array.h +@@ -0,0 +1,45 @@ ++/* ++ * Copyright © 2025 Collabora, Ltd. ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a ++ * copy of this software and associated documentation files (the "Software"), ++ * to deal in the Software without restriction, including without limitation ++ * the rights to use, copy, modify, merge, publish, distribute, sublicense, ++ * and/or sell copies of the Software, and to permit persons to whom the ++ * Software is furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice (including the next ++ * paragraph) shall be included in all copies or substantial portions of the ++ * Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING ++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS ++ * IN THE SOFTWARE. ++ */ ++ ++#include <stdlib.h> ++ ++#ifndef UTIL_STACK_ARRAY_H ++#define UTIL_STACK_ARRAY_H ++ ++#define STACK_ARRAY_SIZE 8 ++ ++/* Sometimes gcc may claim -Wmaybe-uninitialized for the stack array in some ++ * places it can't verify that when size is 0 nobody down the call chain reads ++ * the array. Please don't try to fix it by zero-initializing the array here ++ * since it's used in a lot of different places. An "if (size == 0) return;" ++ * may work for you. ++ */ ++#define STACK_ARRAY(type, name, size) \ ++ type _stack_##name[STACK_ARRAY_SIZE]; \ ++ type *const name = \ ++ ((size) <= STACK_ARRAY_SIZE ? _stack_##name : (type *)malloc((size) * sizeof(type))) ++ ++#define STACK_ARRAY_FINISH(name) \ ++ if (name != _stack_##name) free(name) ++ ++#endif /* UTIL_STACK_ARRAY_H */ diff -Nru mesa-25.0.7/debian/patches/CVE-2026-40393-part1.patch mesa-25.0.7/debian/patches/CVE-2026-40393-part1.patch --- mesa-25.0.7/debian/patches/CVE-2026-40393-part1.patch 1970-01-01 01:00:00.000000000 +0100 +++ mesa-25.0.7/debian/patches/CVE-2026-40393-part1.patch 2026-06-19 21:20:06.000000000 +0200 @@ -0,0 +1,101 @@ +Description: CVE-2026-40393 part 1 - out-of-bounds memory access in WebGPU +Origin: https://gitlab.freedesktop.org/mesa/mesa/-/commit/978fd42b4b7d1e9c0435ffa7e1a4d339cba9b76e + +From 978fd42b4b7d1e9c0435ffa7e1a4d339cba9b76e Mon Sep 17 00:00:00 2001 +From: Ian Romanick <[email protected]> +Date: Fri, 23 Jan 2026 09:58:26 -0800 +Subject: [PATCH] spirv: Use STACK_ARRAY instead of NIR_VLA + +The number of fields comes from the shader, so it could be a value large +enough that using alloca would be problematic. + +Fixes: 2a023f30a64 ("nir/spirv: Add basic support for types") +Reviewed-by: Caio Oliveira <[email protected]> +Reviewed-by: Ryan Neph <[email protected]> +Reviewed-by: Lionel Landwerlin <[email protected]> +(cherry picked from commit 3da828d2dd12e20ba2afc152db8d7236c7a48c13) + +Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/40092> +--- + .pick_status.json | 2 +- + src/compiler/spirv/spirv_to_nir.c | 27 +++++++++++++++++---------- + 2 files changed, 18 insertions(+), 11 deletions(-) + +--- a/src/compiler/spirv/spirv_to_nir.c ++++ b/src/compiler/spirv/spirv_to_nir.c +@@ -27,7 +27,6 @@ + + #include "glsl_types.h" + #include "vtn_private.h" +-#include "nir/nir_vla.h" + #include "nir/nir_control_flow.h" + #include "nir/nir_constant_expressions.h" + #include "nir/nir_deref.h" +@@ -38,6 +37,7 @@ + #include "util/u_string.h" + #include "util/u_debug.h" + #include "util/mesa-blake3.h" ++#include "util/stack_array.h" + + #include <stdio.h> + +@@ -1228,7 +1228,7 @@ + case vtn_base_type_struct: { + bool need_new_struct = false; + const uint32_t num_fields = type->length; +- NIR_VLA(struct glsl_struct_field, fields, num_fields); ++ STACK_ARRAY(struct glsl_struct_field, fields, num_fields); + for (unsigned i = 0; i < num_fields; i++) { + fields[i] = *glsl_get_struct_field_data(type->type, i); + const struct glsl_type *field_nir_type = +@@ -1238,20 +1238,25 @@ + need_new_struct = true; + } + } ++ ++ const struct glsl_type *result; + if (need_new_struct) { + if (glsl_type_is_interface(type->type)) { +- return glsl_interface_type(fields, num_fields, +- /* packing */ 0, false, +- glsl_get_type_name(type->type)); ++ result = glsl_interface_type(fields, num_fields, ++ /* packing */ 0, false, ++ glsl_get_type_name(type->type)); + } else { +- return glsl_struct_type(fields, num_fields, +- glsl_get_type_name(type->type), +- glsl_struct_type_is_packed(type->type)); ++ result = glsl_struct_type(fields, num_fields, ++ glsl_get_type_name(type->type), ++ glsl_struct_type_is_packed(type->type)); + } + } else { + /* No changes, just pass it on */ +- return type->type; ++ result = type->type; + } ++ ++ STACK_ARRAY_FINISH(fields); ++ return result; + } + + case vtn_base_type_image: +@@ -1868,7 +1873,7 @@ + val->type->offsets = vtn_alloc_array(b, unsigned, num_fields); + val->type->packed = false; + +- NIR_VLA(struct glsl_struct_field, fields, count); ++ STACK_ARRAY(struct glsl_struct_field, fields, count); + for (unsigned i = 0; i < num_fields; i++) { + val->type->members[i] = vtn_get_type(b, w[i + 2]); + const char *name = NULL; +@@ -1924,6 +1929,8 @@ + name ? name : "struct", + val->type->packed); + } ++ ++ STACK_ARRAY_FINISH(fields); + break; + } + diff -Nru mesa-25.0.7/debian/patches/CVE-2026-40393-part2.patch mesa-25.0.7/debian/patches/CVE-2026-40393-part2.patch --- mesa-25.0.7/debian/patches/CVE-2026-40393-part2.patch 1970-01-01 01:00:00.000000000 +0100 +++ mesa-25.0.7/debian/patches/CVE-2026-40393-part2.patch 2026-06-19 21:20:06.000000000 +0200 @@ -0,0 +1,51 @@ +Description: CVE-2026-40393 part 2 - out-of-bounds memory access in WebGPU +Origin: https://gitlab.freedesktop.org/mesa/mesa/-/commit/978fd42b4b7d1e9c0435ffa7e1a4d339cba9b76e + +From 45ce75f3bcd638dcf7daae09f9bf0b7c015b81c4 Mon Sep 17 00:00:00 2001 +From: Ian Romanick <[email protected]> +Date: Fri, 23 Jan 2026 10:07:27 -0800 +Subject: [PATCH] nir: Use STACK_ARRAY instead of NIR_VLA + +The number of fields comes from the shader, so it could be a value large +enough that using alloca would be problematic. + +Fixes: c11833ab24d ("nir,spirv: Rework function calls") +Reviewed-by: Caio Oliveira <[email protected]> +Reviewed-by: Ryan Neph <[email protected]> +Reviewed-by: Lionel Landwerlin <[email protected]> +(cherry picked from commit 9017d37e84771f921a63676dd8b955df9ef20f29) + +Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/40092> +--- + .pick_status.json | 2 +- + src/compiler/nir/nir_functions.c | 5 +++-- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/src/compiler/nir/nir_functions.c ++++ b/src/compiler/nir/nir_functions.c +@@ -22,9 +22,9 @@ + */ + + #include "nir.h" ++#include "util/stack_array.h" + #include "nir_builder.h" + #include "nir_control_flow.h" +-#include "nir_vla.h" + + /* + * TODO: write a proper inliner for GPUs. +@@ -228,12 +228,13 @@ + * to an SSA value first. + */ + const unsigned num_params = call->num_params; +- NIR_VLA(nir_def *, params, num_params); ++ STACK_ARRAY(nir_def *, params, num_params); + for (unsigned i = 0; i < num_params; i++) { + params[i] = call->params[i].ssa; + } + + nir_inline_function_impl(b, call->callee->impl, params, NULL); ++ STACK_ARRAY_FINISH(params); + return true; + } + diff -Nru mesa-25.0.7/debian/patches/series mesa-25.0.7/debian/patches/series --- mesa-25.0.7/debian/patches/series 2025-06-17 09:05:41.000000000 +0200 +++ mesa-25.0.7/debian/patches/series 2026-06-19 21:20:06.000000000 +0200 @@ -4,3 +4,6 @@ etnaviv-add-support-for-texelfetch.patch Revert-hasvk-elk-stop-turning-load_push_constants-in.patch kopper-Revert-kopper-Explicitly-choose-zink.patch +backport_STACK_ARRAY.patch +CVE-2026-40393-part1.patch +CVE-2026-40393-part2.patch
