diff options
author | Dave Airlie <airlied@gmail.com> | 2013-05-30 20:21:56 +1000 |
---|---|---|
committer | Dave Airlie <airlied@redhat.com> | 2013-06-04 13:50:20 +1000 |
commit | 0677ea063cd96adefe87c1fb01ef7c66d905535b (patch) | |
tree | fc615d0b2703a20f8cc1a124632e06c8eb0e7e5e | |
parent | bb525f1f1154f8ffde0e4199909466acbbb3876c (diff) |
i965: fix problem with constant out of bounds access (v3)
Okay I now understand why Frank would want to run away, this is
my attempt at fixing the CVE out of bounds access to constants
outside the range. This attempt converts any illegal constants
to constant 0 as per the GL spec, and is undefined behaviour.
A future patch should add some debug for users to find this out,
but this needs to be backported to stable branches.
CVE-2013-1872
v2: drop the last hunk which was a separate fix (now in master).
hopefully fix the indentations.
v3: don't fail piglit, the whole 8/16 dispatch stuff was over
my head, and I spent a while figuring it out, but this one is
definitely safe, one piglit pass extra on my Ironlake.
NOTE: This is a candidate for stable branches.
Signed-off-by: Dave Airlie <airlied@redhat.com>
-rw-r--r-- | src/mesa/drivers/dri/i965/brw_fs.cpp | 15 | ||||
-rw-r--r-- | src/mesa/drivers/dri/i965/brw_fs.h | 1 | ||||
-rw-r--r-- | src/mesa/drivers/dri/i965/brw_fs_visitor.cpp | 1 |
3 files changed, 16 insertions, 1 deletions
diff --git a/src/mesa/drivers/dri/i965/brw_fs.cpp b/src/mesa/drivers/dri/i965/brw_fs.cpp index baaa25c13473..7f8edff57eca 100644 --- a/src/mesa/drivers/dri/i965/brw_fs.cpp +++ b/src/mesa/drivers/dri/i965/brw_fs.cpp @@ -818,6 +818,7 @@ fs_visitor::import_uniforms(fs_visitor *v) import_uniforms_callback, variable_ht); this->params_remap = v->params_remap; + this->nr_params_remap = v->nr_params_remap; } /* Our support for uniforms is piggy-backed on the struct @@ -1490,6 +1491,7 @@ fs_visitor::remove_dead_constants() { if (dispatch_width == 8) { this->params_remap = ralloc_array(mem_ctx, int, c->prog_data.nr_params); + this->nr_params_remap = c->prog_data.nr_params; for (unsigned int i = 0; i < c->prog_data.nr_params; i++) this->params_remap[i] = -1; @@ -1504,7 +1506,14 @@ fs_visitor::remove_dead_constants() if (inst->src[i].file != UNIFORM) continue; - assert(constant_nr < (int)c->prog_data.nr_params); + /* Section 5.11 of the OpenGL 4.3 spec says: + * + * "Out-of-bounds reads return undefined values, which include + * values from other variables of the active program or zero." + */ + if (constant_nr < 0 || constant_nr >= (int)c->prog_data.nr_params) { + constant_nr = 0; + } /* For now, set this to non-negative. We'll give it the * actual new number in a moment, in order to keep the @@ -1552,6 +1561,10 @@ fs_visitor::remove_dead_constants() if (inst->src[i].file != UNIFORM) continue; + /* as above alias to 0 */ + if (constant_nr < 0 || constant_nr >= (int)this->nr_params_remap) { + constant_nr = 0; + } assert(this->params_remap[constant_nr] != -1); inst->src[i].reg = this->params_remap[constant_nr]; inst->src[i].reg_offset = 0; diff --git a/src/mesa/drivers/dri/i965/brw_fs.h b/src/mesa/drivers/dri/i965/brw_fs.h index 3d44daf8545a..762e2508d22e 100644 --- a/src/mesa/drivers/dri/i965/brw_fs.h +++ b/src/mesa/drivers/dri/i965/brw_fs.h @@ -440,6 +440,7 @@ public: * uniform index. */ int *params_remap; + int nr_params_remap; struct hash_table *variable_ht; fs_reg frag_depth; diff --git a/src/mesa/drivers/dri/i965/brw_fs_visitor.cpp b/src/mesa/drivers/dri/i965/brw_fs_visitor.cpp index 79c5a11f507b..9bb15d037c16 100644 --- a/src/mesa/drivers/dri/i965/brw_fs_visitor.cpp +++ b/src/mesa/drivers/dri/i965/brw_fs_visitor.cpp @@ -2464,6 +2464,7 @@ fs_visitor::fs_visitor(struct brw_context *brw, this->live_intervals_valid = false; this->params_remap = NULL; + this->nr_params_remap = 0; this->force_uncompressed_stack = 0; this->force_sechalf_stack = 0; |