Hi Seth Arnold,
> What I'm not sure about is if this is actually a security issue or if
this is just a bug -- is there actually a security boundary that is
being breached?
I believe that this is a security issue, which causes OOB writing in the
vrend_set_single_ssbo():
2973 void vrend_set_single_ssbo(struct vrend_context *ctx,
2974 uint32_t shader_type,
2975 uint32_t index,
2976 uint32_t offset, uint32_t length,
2977 uint32_t handle)
2978 {
/* OOB, index > PIPE_MAX_SHADER_BUFFERS */
2979 struct vrend_ssbo *ssbo = &ctx->sub->ssbo[shader_type][index];
2980 struct vrend_resource *res;
2981
2982 if (!has_feature(feat_ssbo))
2983 return;
2984
2985 if (handle) {
2986 res = vrend_renderer_ctx_res_lookup(ctx, handle);
2987 if (!res) {
2988 report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_RESOURCE,
handle);
2989 return;
2990 }
/* OOB writing */
2991 ssbo->res = res;
2992 ssbo->buffer_offset = offset;
2993 ssbo->buffer_size = length;
2994 ctx->sub->ssbo_used_mask[shader_type] |= (1u << index);
2995 }
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950941
Title:
Integer underflow in the vrend_decode_set_shader_buffers() on
virglrenderer
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/virglrenderer/+bug/1950941/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
