[Bug 1950941] Re: Integer underflow in the vrend_decode_set_shader_buffers() on virglrenderer
** Merge proposal unlinked: https://code.launchpad.net/~utkarsh/ubuntu/+source/virglrenderer/+git/virglrenderer/+merge/416057 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950941 Title: Integer underflow in the vrend_decode_set_shader_buffers() on virglrenderer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/virglrenderer/+bug/1950941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950941] Re: Integer underflow in the vrend_decode_set_shader_buffers() on virglrenderer
** Merge proposal linked: https://code.launchpad.net/~utkarsh/ubuntu/+source/virglrenderer/+git/virglrenderer/+merge/416057 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950941 Title: Integer underflow in the vrend_decode_set_shader_buffers() on virglrenderer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/virglrenderer/+bug/1950941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950941] Re: Integer underflow in the vrend_decode_set_shader_buffers() on virglrenderer
Hi Seth Arnold, > Is vrend_set_single_ssbo() being called in the same address space as the main() function in your reproducer? Or is it happening in another process? Or virtual machine? Or host? The architecture of the virt-gpu is: PoC (guest user mode) - /dev/dri/ -- DRM_VIRTIO_GPU (guest kernel mode) - vring -- QEMU virglrenderer (host user mode) -- The PoC is running in the user mode of the guest. While the vrend_set_single_ssbo() stays at the user mode of the host (on the qemu context). So, the guest can corrupt memory of the host. And this is a security bug. Thanks, Jun Yao -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950941 Title: Integer underflow in the vrend_decode_set_shader_buffers() on virglrenderer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/virglrenderer/+bug/1950941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950941] Re: Integer underflow in the vrend_decode_set_shader_buffers() on virglrenderer
Thanks Jun, my question is less about the specific line of an array index being used without checking and more about which boundaries are being crossed with the function call: Is vrend_set_single_ssbo() being called in the same address space as the main() function in your reproducer? Or is it happening in another process? Or virtual machine? Or host? If the array indexing happens in the same process, then the main() routine could just as well write to different places in memory in its own process without restriction, regardless of this fix. This fix would be a security fix if the array indexing is happening on the other side of a protection boundary, and I don't understand virgl anywhere near well enough to know that answer. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950941 Title: Integer underflow in the vrend_decode_set_shader_buffers() on virglrenderer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/virglrenderer/+bug/1950941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950941] Re: Integer underflow in the vrend_decode_set_shader_buffers() on virglrenderer
Hi Seth Arnold, > What I'm not sure about is if this is actually a security issue or if this is just a bug -- is there actually a security boundary that is being breached? I believe that this is a security issue, which causes OOB writing in the vrend_set_single_ssbo(): 2973 void vrend_set_single_ssbo(struct vrend_context *ctx, 2974uint32_t shader_type, 2975uint32_t index, 2976uint32_t offset, uint32_t length, 2977uint32_t handle) 2978 { /* OOB, index > PIPE_MAX_SHADER_BUFFERS */ 2979struct vrend_ssbo *ssbo = >sub->ssbo[shader_type][index]; 2980struct vrend_resource *res; 2981 2982if (!has_feature(feat_ssbo)) 2983 return; 2984 2985if (handle) { 2986 res = vrend_renderer_ctx_res_lookup(ctx, handle); 2987 if (!res) { 2988 report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_RESOURCE, handle); 2989 return; 2990 } /* OOB writing */ 2991 ssbo->res = res; 2992 ssbo->buffer_offset = offset; 2993 ssbo->buffer_size = length; 2994 ctx->sub->ssbo_used_mask[shader_type] |= (1u << index); 2995} -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950941 Title: Integer underflow in the vrend_decode_set_shader_buffers() on virglrenderer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/virglrenderer/+bug/1950941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950941] Re: Integer underflow in the vrend_decode_set_shader_buffers() on virglrenderer
Done for Jammy, is anyone doing a check if this is security critical and/or working on test steps for a normal SRU? ** Changed in: virglrenderer (Ubuntu Jammy) Assignee: Christian Ehrhardt (paelzer) => (unassigned) ** Tags removed: server-todo -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950941 Title: Integer underflow in the vrend_decode_set_shader_buffers() on virglrenderer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/virglrenderer/+bug/1950941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950941] Re: Integer underflow in the vrend_decode_set_shader_buffers() on virglrenderer
This bug was fixed in the package virglrenderer - 0.8.2-5ubuntu1 --- virglrenderer (0.8.2-5ubuntu1) jammy; urgency=medium * d/p/lp-1950941*: fix out of bounds check (LP: #1950941) -- Christian Ehrhardt Thu, 02 Dec 2021 08:34:48 +0100 ** Changed in: virglrenderer (Ubuntu Jammy) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950941 Title: Integer underflow in the vrend_decode_set_shader_buffers() on virglrenderer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/virglrenderer/+bug/1950941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950941] Re: Integer underflow in the vrend_decode_set_shader_buffers() on virglrenderer
PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4729/+packages MP: https://code.launchpad.net/~paelzer/ubuntu/+source/virglrenderer/+git/virglrenderer/+merge/412670 ** Tags added: server-todo -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950941 Title: Integer underflow in the vrend_decode_set_shader_buffers() on virglrenderer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/virglrenderer/+bug/1950941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950941] Re: Integer underflow in the vrend_decode_set_shader_buffers() on virglrenderer
** Merge proposal linked: https://code.launchpad.net/~paelzer/ubuntu/+source/virglrenderer/+git/virglrenderer/+merge/412670 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950941 Title: Integer underflow in the vrend_decode_set_shader_buffers() on virglrenderer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/virglrenderer/+bug/1950941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950941] Re: Integer underflow in the vrend_decode_set_shader_buffers() on virglrenderer
The commit isn't in any upstream release yet (not even 0.9.0 in Debian experimental). It applies cleanly to 0.8.2-5build1 that is in Focal-Jammy. The code isn't present in Bionic at all. I'll leave Focal-Impish incomplete for Seths question if there is a security impact. If there is they will drive this as security fix, but if there isn't we will need steps to recreate the error to drive a normal SRU [1]. I think we can mark Jammy as triaged and apply it there either way. [1]: https://wiki.ubuntu.com/StableReleaseUpdates ** Also affects: virglrenderer (Ubuntu Hirsute) Importance: Undecided Status: New ** Also affects: virglrenderer (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: virglrenderer (Ubuntu Jammy) Importance: Undecided Status: Incomplete ** Also affects: virglrenderer (Ubuntu Impish) Importance: Undecided Status: New ** Also affects: virglrenderer (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: virglrenderer (Ubuntu Impish) Status: New => Incomplete ** Changed in: virglrenderer (Ubuntu Hirsute) Status: New => Incomplete ** Changed in: virglrenderer (Ubuntu Focal) Status: New => Incomplete ** Changed in: virglrenderer (Ubuntu Bionic) Status: New => Invalid ** Changed in: virglrenderer (Ubuntu Jammy) Status: Incomplete => Triaged ** Changed in: virglrenderer (Ubuntu Jammy) Assignee: (unassigned) => Christian Ehrhardt (paelzer) ** Changed in: virglrenderer (Ubuntu Impish) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) ** Changed in: virglrenderer (Ubuntu Hirsute) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) ** Changed in: virglrenderer (Ubuntu Focal) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950941 Title: Integer underflow in the vrend_decode_set_shader_buffers() on virglrenderer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/virglrenderer/+bug/1950941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950941] Re: Integer underflow in the vrend_decode_set_shader_buffers() on virglrenderer
Aha, excellent find; I've opened this public, since the git commit pretty much spells it out. What I'm not sure about is if this is actually a security issue or if this is just a bug -- is there actually a security boundary that is being breached? Thanks ** Information type changed from Private Security to Public Security ** Changed in: virglrenderer (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950941 Title: Integer underflow in the vrend_decode_set_shader_buffers() on virglrenderer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/virglrenderer/+bug/1950941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs