1From 5ca7aca001092c557f0b6fc1ba3db7dcdab860b7 Mon Sep 17 00:00:00 2001 2From: Gert Wollny <gert.wollny@collabora.com> 3Date: Tue, 30 Nov 2021 09:29:42 +0100 4Subject: [PATCH 1/2] vrend: clear memory when allocating a host-backed memory 5 resource 6 7Closes: #249 8Signed-off-by: Gert Wollny <gert.wollny@collabora.com> 9Reviewed-by: Chia-I Wu <olvaffe@gmail.com> 10 11cherry-pick from anongit.freedesktop.org/virglrenderer 12commit b05bb61... 13 14CVE: CVE-2022-0175 15Upstream-Status: Backport 16Signed-off-by: Joe Slater <joe.slater@windriver.com> 17 18--- 19 src/vrend_renderer.c | 2 +- 20 tests/test_virgl_transfer.c | 51 +++++++++++++++++++++++++++++++++++++ 21 2 files changed, 52 insertions(+), 1 deletion(-) 22 23diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c 24index b8b2a36..2650cf2 100644 25--- a/src/vrend_renderer.c 26+++ b/src/vrend_renderer.c 27@@ -6788,7 +6788,7 @@ vrend_resource_alloc_buffer(struct vrend_resource *gr, uint32_t flags) 28 if (bind == VIRGL_BIND_CUSTOM) { 29 /* use iovec directly when attached */ 30 gr->storage_bits |= VREND_STORAGE_HOST_SYSTEM_MEMORY; 31- gr->ptr = malloc(size); 32+ gr->ptr = calloc(1, size); 33 if (!gr->ptr) 34 return -ENOMEM; 35 } else if (bind == VIRGL_BIND_STAGING) { 36diff --git a/tests/test_virgl_transfer.c b/tests/test_virgl_transfer.c 37index bf7f438..3c53c3d 100644 38--- a/tests/test_virgl_transfer.c 39+++ b/tests/test_virgl_transfer.c 40@@ -952,6 +952,56 @@ START_TEST(virgl_test_transfer_near_res_bounds_with_stride_succeeds) 41 } 42 END_TEST 43 44+START_TEST(test_vrend_host_backed_memory_no_data_leak) 45+{ 46+ struct iovec iovs[1]; 47+ int niovs = 1; 48+ 49+ struct virgl_context ctx = {0}; 50+ 51+ int ret = testvirgl_init_ctx_cmdbuf(&ctx); 52+ 53+ struct virgl_renderer_resource_create_args res; 54+ res.handle = 0x400; 55+ res.target = PIPE_BUFFER; 56+ res.format = VIRGL_FORMAT_R8_UNORM; 57+ res.nr_samples = 0; 58+ res.last_level = 0; 59+ res.array_size = 1; 60+ res.bind = VIRGL_BIND_CUSTOM; 61+ res.depth = 1; 62+ res.width = 32; 63+ res.height = 1; 64+ res.flags = 0; 65+ 66+ uint32_t size = 32; 67+ uint8_t* data = calloc(1, size); 68+ memset(data, 1, 32); 69+ iovs[0].iov_base = data; 70+ iovs[0].iov_len = size; 71+ 72+ struct pipe_box box = {0,0,0, size, 1,1}; 73+ 74+ virgl_renderer_resource_create(&res, NULL, 0); 75+ virgl_renderer_ctx_attach_resource(ctx.ctx_id, res.handle); 76+ 77+ ret = virgl_renderer_transfer_read_iov(res.handle, ctx.ctx_id, 0, 0, 0, 78+ (struct virgl_box *)&box, 0, iovs, niovs); 79+ 80+ ck_assert_int_eq(ret, 0); 81+ 82+ for (int i = 0; i < 32; ++i) 83+ ck_assert_int_eq(data[i], 0); 84+ 85+ virgl_renderer_ctx_detach_resource(1, res.handle); 86+ 87+ virgl_renderer_resource_unref(res.handle); 88+ free(data); 89+ 90+} 91+END_TEST 92+ 93+ 94 static Suite *virgl_init_suite(void) 95 { 96 Suite *s; 97@@ -981,6 +1031,7 @@ static Suite *virgl_init_suite(void) 98 tcase_add_test(tc_core, virgl_test_transfer_buffer_bad_strides); 99 tcase_add_test(tc_core, virgl_test_transfer_2d_array_bad_layer_stride); 100 tcase_add_test(tc_core, virgl_test_transfer_2d_bad_level); 101+ tcase_add_test(tc_core, test_vrend_host_backed_memory_no_data_leak); 102 103 tcase_add_loop_test(tc_core, virgl_test_transfer_res_read_valid, 0, PIPE_MAX_TEXTURE_TYPES); 104 tcase_add_loop_test(tc_core, virgl_test_transfer_res_write_valid, 0, PIPE_MAX_TEXTURE_TYPES); 105-- 1062.25.1 107 108