Hi Seth Arnold,
> Is vrend_set_single_ssbo() being called in the same address space as
the main() function in your reproducer? Or is it happening in another
process? Or virtual machine? Or host?
The architecture of the virt-gpu is:
PoC (guest user mode)
------------- /dev/dri/xxxx --------------
DRM_VIRTIO_GPU (guest kernel mode)
------------- vring ----------------------
QEMU
virglrenderer (host user mode)
------------------------------------------
The PoC is running in the user mode of the guest. While the
vrend_set_single_ssbo() stays at the user mode of the host (on the qemu
context). So, the guest can corrupt memory of the host. And this is a
security bug.
Thanks,
Jun Yao
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950941
Title:
Integer underflow in the vrend_decode_set_shader_buffers() on
virglrenderer
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/virglrenderer/+bug/1950941/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
