debian/changelog | 6 ++++++ src/mesa/drivers/dri/i965/brw_fs.cpp | 15 ++++++++++++++- src/mesa/drivers/dri/i965/brw_fs.h | 4 ++++ 3 files changed, 24 insertions(+), 1 deletion(-)
New commits: commit cbb2e666056321eeec9ab452f44fb1a5f2041f4c Author: Julien Cristau <[email protected]> Date: Wed Jun 5 16:02:00 2013 +0200 Upload to unstable diff --git a/debian/changelog b/debian/changelog index ed6f909..51f7451 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +mesa (8.0.5-7) sid; urgency=high + + * Memory corruption (OOB read/write) in i965 driver [CVE-2013-1872] + + -- Julien Cristau <[email protected]> Wed, 05 Jun 2013 16:00:42 +0200 + mesa (8.0.5-6) sid; urgency=high * integer overflows calculating memory needs for replies [CVE-2013-1993] commit 2a1c64f4937e19d7eb471f0518d158dd34d3c8f6 Author: Dave Airlie <[email protected]> Date: Thu May 30 20:21:56 2013 +1000 i965: fix problem with constant out of bounds access (v3) Okay I now understand why Frank would want to run away, this is my attempt at fixing the CVE out of bounds access to constants outside the range. This attempt converts any illegal constants to constant 0 as per the GL spec, and is undefined behaviour. A future patch should add some debug for users to find this out, but this needs to be backported to stable branches. CVE-2013-1872 v2: drop the last hunk which was a separate fix (now in master). hopefully fix the indentations. v3: don't fail piglit, the whole 8/16 dispatch stuff was over my head, and I spent a while figuring it out, but this one is definitely safe, one piglit pass extra on my Ironlake. NOTE: This is a candidate for stable branches. Signed-off-by: Dave Airlie <[email protected]> [jcristau: backport to 8.0: fs_visitor::fs_visitor is in brw_fs.h] diff --git a/src/mesa/drivers/dri/i965/brw_fs.cpp b/src/mesa/drivers/dri/i965/brw_fs.cpp index acb870c..6170d20 100644 --- a/src/mesa/drivers/dri/i965/brw_fs.cpp +++ b/src/mesa/drivers/dri/i965/brw_fs.cpp @@ -250,6 +250,7 @@ fs_visitor::import_uniforms(fs_visitor *v) import_uniforms_callback, variable_ht); this->params_remap = v->params_remap; + this->nr_params_remap = v->nr_params_remap; } /* Our support for uniforms is piggy-backed on the struct @@ -847,6 +848,7 @@ fs_visitor::remove_dead_constants() { if (c->dispatch_width == 8) { this->params_remap = ralloc_array(mem_ctx, int, c->prog_data.nr_params); + this->nr_params_remap = c->prog_data.nr_params; for (unsigned int i = 0; i < c->prog_data.nr_params; i++) this->params_remap[i] = -1; @@ -861,7 +863,14 @@ fs_visitor::remove_dead_constants() if (inst->src[i].file != UNIFORM) continue; - assert(constant_nr < (int)c->prog_data.nr_params); + /* Section 5.11 of the OpenGL 4.3 spec says: + * + * "Out-of-bounds reads return undefined values, which include + * values from other variables of the active program or zero." + */ + if (constant_nr < 0 || constant_nr >= (int)c->prog_data.nr_params) { + constant_nr = 0; + } /* For now, set this to non-negative. We'll give it the * actual new number in a moment, in order to keep the @@ -913,6 +922,10 @@ fs_visitor::remove_dead_constants() if (inst->src[i].file != UNIFORM) continue; + /* as above alias to 0 */ + if (constant_nr < 0 || constant_nr >= (int)this->nr_params_remap) { + constant_nr = 0; + } assert(this->params_remap[constant_nr] != -1); inst->src[i].reg = this->params_remap[constant_nr]; inst->src[i].reg_offset = 0; diff --git a/src/mesa/drivers/dri/i965/brw_fs.h b/src/mesa/drivers/dri/i965/brw_fs.h index 798afa1..7c1ccf3 100644 --- a/src/mesa/drivers/dri/i965/brw_fs.h +++ b/src/mesa/drivers/dri/i965/brw_fs.h @@ -425,6 +425,7 @@ public: this->live_intervals_valid = false; this->params_remap = NULL; + this->nr_params_remap = 0; this->kill_emitted = false; this->force_uncompressed_stack = 0; @@ -617,6 +618,7 @@ public: * uniform index. */ int *params_remap; + int nr_params_remap; struct hash_table *variable_ht; ir_variable *frag_depth; commit 46240e39c949f1c28cc5bb71ad90fdc69bf30b0c Author: Frank Henigman <[email protected]> Date: Mon Jan 28 20:06:59 2013 -0500 intel: initialize fs_visitor::params_remap in constructor Set fs_visitor::params_remap to NULL in the constructor. This variable was potentially tested in fs_visitor::remove_dead_constants() before being set. NOTE: This is a candidate for stable release branches. Signed-off-by: Frank Henigman <[email protected]> Reviewed-by: Ian Romanick <[email protected]> Signed-off-by: Dave Airlie <[email protected]> [jcristau: backport to 8.0 where fs_visitor::fs_visitor is in brw_fs.h] diff --git a/src/mesa/drivers/dri/i965/brw_fs.h b/src/mesa/drivers/dri/i965/brw_fs.h index f557138..798afa1 100644 --- a/src/mesa/drivers/dri/i965/brw_fs.h +++ b/src/mesa/drivers/dri/i965/brw_fs.h @@ -424,6 +424,8 @@ public: this->virtual_grf_use = NULL; this->live_intervals_valid = false; + this->params_remap = NULL; + this->kill_emitted = false; this->force_uncompressed_stack = 0; this->force_sechalf_stack = 0; -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
