summaryrefslogtreecommitdiffstats
path: root/meta/recipes-graphics
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-graphics')
-rw-r--r--meta/recipes-graphics/harfbuzz/harfbuzz_2.9.1.bb (renamed from meta/recipes-graphics/harfbuzz/harfbuzz_2.9.0.bb)2
-rw-r--r--meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0135.patch117
-rw-r--r--meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0175.patch107
-rw-r--r--meta/recipes-graphics/virglrenderer/virglrenderer_0.9.1.bb4
-rw-r--r--meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb2
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg.inc8
6 files changed, 237 insertions, 3 deletions
diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz_2.9.0.bb b/meta/recipes-graphics/harfbuzz/harfbuzz_2.9.1.bb
index bc91a8c03c..694553beef 100644
--- a/meta/recipes-graphics/harfbuzz/harfbuzz_2.9.0.bb
+++ b/meta/recipes-graphics/harfbuzz/harfbuzz_2.9.1.bb
@@ -12,7 +12,7 @@ UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases"
UPSTREAM_CHECK_REGEX = "harfbuzz-(?P<pver>\d+(\.\d+)+).tar"
SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.xz"
-SRC_URI[sha256sum] = "3e1c2e1d2c65d56364fd16d1c41a06b2a35795496f78dfff635c2b7414b54c5a"
+SRC_URI[sha256sum] = "0edcc980f526a338452180e701d6aba6323aef457b6686976a7d17ccbddc51cf"
inherit meson pkgconfig lib_package gtk-doc gobject-introspection
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0135.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0135.patch
new file mode 100644
index 0000000000..ae42dc8f6c
--- /dev/null
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0135.patch
@@ -0,0 +1,117 @@
+From 63aee871365f9c9e7fa9125672302a0fb250d34d Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny@collabora.com>
+Date: Tue, 30 Nov 2021 09:16:24 +0100
+Subject: [PATCH 2/2] vrend: propperly check whether the shader image range is
+ correct
+
+Also add a test to check the integer underflow.
+
+Closes: #251
+Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
+Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
+
+cherry-pick from anongit.freedesktop.org/virglrenderer
+commit 2aed5d4...
+
+CVE: CVE-2022-0135
+Upstream-Status: Backport
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+---
+ src/vrend_decode.c | 3 +-
+ tests/test_fuzzer_formats.c | 57 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 59 insertions(+), 1 deletion(-)
+
+diff --git a/src/vrend_decode.c b/src/vrend_decode.c
+index 91f5f24..6771b10 100644
+--- a/src/vrend_decode.c
++++ b/src/vrend_decode.c
+@@ -1249,8 +1249,9 @@ static int vrend_decode_set_shader_images(struct vrend_context *ctx, const uint3
+ if (num_images < 1) {
+ return 0;
+ }
++
+ if (start_slot > PIPE_MAX_SHADER_IMAGES ||
+- start_slot > PIPE_MAX_SHADER_IMAGES - num_images)
++ start_slot + num_images > PIPE_MAX_SHADER_IMAGES)
+ return EINVAL;
+
+ for (uint32_t i = 0; i < num_images; i++) {
+diff --git a/tests/test_fuzzer_formats.c b/tests/test_fuzzer_formats.c
+index 154a2e5..e32caf0 100644
+--- a/tests/test_fuzzer_formats.c
++++ b/tests/test_fuzzer_formats.c
+@@ -958,6 +958,61 @@ static void test_vrend_set_signle_abo_heap_overflow() {
+ virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
+ }
+
++static void test_vrend_set_shader_images_overflow()
++{
++ uint32_t num_shaders = PIPE_MAX_SHADER_IMAGES + 1;
++ uint32_t size = num_shaders * VIRGL_SET_SHADER_IMAGE_ELEMENT_SIZE + 3;
++ uint32_t cmd[size];
++ int i = 0;
++ cmd[i++] = ((size - 1)<< 16) | 0 << 8 | VIRGL_CCMD_SET_SHADER_IMAGES;
++ cmd[i++] = PIPE_SHADER_FRAGMENT;
++ memset(&cmd[i], 0, size - i);
++
++ virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
++}
++
++/* Test adapted from yaojun8558363@gmail.com:
++ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250
++*/
++static void test_vrend_3d_resource_overflow() {
++
++ struct virgl_renderer_resource_create_args resource;
++ resource.handle = 0x4c474572;
++ resource.target = PIPE_TEXTURE_2D_ARRAY;
++ resource.format = VIRGL_FORMAT_Z24X8_UNORM;
++ resource.nr_samples = 2;
++ resource.last_level = 0;
++ resource.array_size = 3;
++ resource.bind = VIRGL_BIND_SAMPLER_VIEW;
++ resource.depth = 1;
++ resource.width = 8;
++ resource.height = 4;
++ resource.flags = 0;
++
++ virgl_renderer_resource_create(&resource, NULL, 0);
++ virgl_renderer_ctx_attach_resource(ctx_id, resource.handle);
++
++ uint32_t size = 0x400;
++ uint32_t cmd[size];
++ int i = 0;
++ cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE;
++ cmd[i++] = resource.handle;
++ cmd[i++] = 0; // level
++ cmd[i++] = 0; // usage
++ cmd[i++] = 0; // stride
++ cmd[i++] = 0; // layer_stride
++ cmd[i++] = 0; // x
++ cmd[i++] = 0; // y
++ cmd[i++] = 0; // z
++ cmd[i++] = 8; // w
++ cmd[i++] = 4; // h
++ cmd[i++] = 3; // d
++ memset(&cmd[i], 0, size - i);
++
++ virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
++}
++
++
+ int main()
+ {
+ initialize_environment();
+@@ -980,6 +1035,8 @@ int main()
+ test_cs_nullpointer_deference();
+ test_vrend_set_signle_abo_heap_overflow();
+
++ test_vrend_set_shader_images_overflow();
++ test_vrend_3d_resource_overflow();
+
+ virgl_renderer_context_destroy(ctx_id);
+ virgl_renderer_cleanup(&cookie);
+--
+2.25.1
+
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0175.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0175.patch
new file mode 100644
index 0000000000..7fbab75091
--- /dev/null
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0175.patch
@@ -0,0 +1,107 @@
+From 5ca7aca001092c557f0b6fc1ba3db7dcdab860b7 Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny@collabora.com>
+Date: Tue, 30 Nov 2021 09:29:42 +0100
+Subject: [PATCH 1/2] vrend: clear memory when allocating a host-backed memory
+ resource
+
+Closes: #249
+Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
+Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
+
+cherry-pick from anongit.freedesktop.org/virglrenderer
+commit b05bb61...
+
+CVE: CVE-2022-0175
+Upstream-Status: Backport
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+---
+ src/vrend_renderer.c | 2 +-
+ tests/test_virgl_transfer.c | 51 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 52 insertions(+), 1 deletion(-)
+
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
+index b8b2a36..2650cf2 100644
+--- a/src/vrend_renderer.c
++++ b/src/vrend_renderer.c
+@@ -6788,7 +6788,7 @@ vrend_resource_alloc_buffer(struct vrend_resource *gr, uint32_t flags)
+ if (bind == VIRGL_BIND_CUSTOM) {
+ /* use iovec directly when attached */
+ gr->storage_bits |= VREND_STORAGE_HOST_SYSTEM_MEMORY;
+- gr->ptr = malloc(size);
++ gr->ptr = calloc(1, size);
+ if (!gr->ptr)
+ return -ENOMEM;
+ } else if (bind == VIRGL_BIND_STAGING) {
+diff --git a/tests/test_virgl_transfer.c b/tests/test_virgl_transfer.c
+index bf7f438..3c53c3d 100644
+--- a/tests/test_virgl_transfer.c
++++ b/tests/test_virgl_transfer.c
+@@ -952,6 +952,56 @@ START_TEST(virgl_test_transfer_near_res_bounds_with_stride_succeeds)
+ }
+ END_TEST
+
++START_TEST(test_vrend_host_backed_memory_no_data_leak)
++{
++ struct iovec iovs[1];
++ int niovs = 1;
++
++ struct virgl_context ctx = {0};
++
++ int ret = testvirgl_init_ctx_cmdbuf(&ctx);
++
++ struct virgl_renderer_resource_create_args res;
++ res.handle = 0x400;
++ res.target = PIPE_BUFFER;
++ res.format = VIRGL_FORMAT_R8_UNORM;
++ res.nr_samples = 0;
++ res.last_level = 0;
++ res.array_size = 1;
++ res.bind = VIRGL_BIND_CUSTOM;
++ res.depth = 1;
++ res.width = 32;
++ res.height = 1;
++ res.flags = 0;
++
++ uint32_t size = 32;
++ uint8_t* data = calloc(1, size);
++ memset(data, 1, 32);
++ iovs[0].iov_base = data;
++ iovs[0].iov_len = size;
++
++ struct pipe_box box = {0,0,0, size, 1,1};
++
++ virgl_renderer_resource_create(&res, NULL, 0);
++ virgl_renderer_ctx_attach_resource(ctx.ctx_id, res.handle);
++
++ ret = virgl_renderer_transfer_read_iov(res.handle, ctx.ctx_id, 0, 0, 0,
++ (struct virgl_box *)&box, 0, iovs, niovs);
++
++ ck_assert_int_eq(ret, 0);
++
++ for (int i = 0; i < 32; ++i)
++ ck_assert_int_eq(data[i], 0);
++
++ virgl_renderer_ctx_detach_resource(1, res.handle);
++
++ virgl_renderer_resource_unref(res.handle);
++ free(data);
++
++}
++END_TEST
++
++
+ static Suite *virgl_init_suite(void)
+ {
+ Suite *s;
+@@ -981,6 +1031,7 @@ static Suite *virgl_init_suite(void)
+ tcase_add_test(tc_core, virgl_test_transfer_buffer_bad_strides);
+ tcase_add_test(tc_core, virgl_test_transfer_2d_array_bad_layer_stride);
+ tcase_add_test(tc_core, virgl_test_transfer_2d_bad_level);
++ tcase_add_test(tc_core, test_vrend_host_backed_memory_no_data_leak);
+
+ tcase_add_loop_test(tc_core, virgl_test_transfer_res_read_valid, 0, PIPE_MAX_TEXTURE_TYPES);
+ tcase_add_loop_test(tc_core, virgl_test_transfer_res_write_valid, 0, PIPE_MAX_TEXTURE_TYPES);
+--
+2.25.1
+
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer_0.9.1.bb b/meta/recipes-graphics/virglrenderer/virglrenderer_0.9.1.bb
index 65bd1af942..14e39fdb20 100644
--- a/meta/recipes-graphics/virglrenderer/virglrenderer_0.9.1.bb
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer_0.9.1.bb
@@ -10,8 +10,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=c81c08eeefd9418fca8f88309a76db10"
DEPENDS = "libdrm virtual/libgl virtual/libgbm libepoxy"
SRCREV = "363915595e05fb252e70d6514be2f0c0b5ca312b"
-SRC_URI = "git://anongit.freedesktop.org/virglrenderer;branch=branch-0.9.1 \
+SRC_URI = "git://anongit.freedesktop.org/git/virglrenderer;branch=branch-0.9.1 \
file://0001-meson.build-use-python3-directly-for-python.patch \
+ file://cve-2022-0135.patch \
+ file://cve-2022-0175.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb b/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb
index d153c7a603..b0b6cb6b56 100644
--- a/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb
+++ b/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb
@@ -6,7 +6,7 @@ using file descriptor passing."
require xorg-lib-common.inc
-LICENSE = "MIT-style"
+LICENSE = "HPND"
LIC_FILES_CHKSUM = "file://COPYING;md5=47e508ca280fde97906eacb77892c3ac"
DEPENDS += "virtual/libx11"
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
index 85d0788eaf..8864564b3e 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -20,6 +20,14 @@ SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.xz"
UPSTREAM_CHECK_REGEX = "xorg-server-(?P<pver>\d+(\.(?!99)\d+)+)\.tar"
CVE_PRODUCT = "xorg-server x_server"
+# This is specific to Debian's xserver-wrapper.c
+CVE_CHECK_WHITELIST += "CVE-2011-4613"
+# As per upstream, exploiting this flaw is non-trivial and it requires exact
+# timing on the behalf of the attacker. Many graphical applications exit if their
+# connection to the X server is lost, so a typical desktop session is either
+# impossible or difficult to exploit. There is currently no upstream patch
+# available for this flaw.
+CVE_CHECK_WHITELIST += "CVE-2020-25697"
S = "${WORKDIR}/${XORG_PN}-${PV}"
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-12 10:07:20 +0000