[hardknott,1/1] virglrenderer: fix CVE-2022-0135 and -0175

Message ID	20220216231204.21131-1-joe.slater@windriver.com
State	Accepted, archived
Commit	225f8b28ff0b3357382f517f39eb315b4bac9138
Headers	show Return-Path: <joe.slater@windriver.com> ip: 205.220.178.238, mailfrom: prvs=9046268e58=joe.slater@windriver.com) From: Joe Slater <joe.slater@windriver.com> To: openembedded-core@lists.openembedded.org Cc: joe.slater@windriver.com, randy.macleod@windriver.com Subject: [oe-core][hardknott][PATCH 1/1] virglrenderer: fix CVE-2022-0135 and -0175 Date: Wed, 16 Feb 2022 15:12:04 -0800 Message-Id: <20220216231204.21131-1-joe.slater@windriver.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain MIME-Version: 1.0
Series	[hardknott,1/1] virglrenderer: fix CVE-2022-0135 and -0175 \| expand [hardknott,1/1] virglrenderer: fix CVE-2022-0135 and -0175

Message ID

20220216231204.21131-1-joe.slater@windriver.com

State

Accepted, archived

Commit

225f8b28ff0b3357382f517f39eb315b4bac9138

Headers

From: Joe Slater <joe.slater@windriver.com>
To: openembedded-core@lists.openembedded.org
Cc: joe.slater@windriver.com, randy.macleod@windriver.com
Subject: [oe-core][hardknott][PATCH 1/1] virglrenderer: fix CVE-2022-0135 and
 -0175
Date: Wed, 16 Feb 2022 15:12:04 -0800
Message-Id: <20220216231204.21131-1-joe.slater@windriver.com>
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 9o09lWGm1/J6GxT/52cnyrMtpoQ122prJ3Pxcpj843Oqo0AiJk69DOKTenmc91d7RQFsKCPphwg5Xnb5nuoGr4GzhbID+oNU1l89Oeh1L4stn5PNaFbJDGxFw19KsUy9+fG0Qa/iEqa6uj8Sx3UCCP7fu13JRgYbTBeEJ75Tfk+BSixrm7SEiqkXztBnMBaAGsDcOLDW3lDvui8m5bQ4/HF1jCGf8DsGBdNJzDr8EqAEX6BN/XsizknYp764wNMhXFTUy6Dbvk5XgoGGML8+asCAmr5ejvDJQ/UDQp7KWKwGp5kJJY0zQxCYc0YGtllzIMjkbYS2/9f9vuJCxxO/O2jf6/SUnIejy7mkRyWh25v9cTiOGuIza4NGQT5RZzitF62oczWCwVC32lEGnLOczMZ1IWaAmVbAGw1yWxsdPN8Ao+RRqK55J4XHdg4n+ItEY3eKC4eZdIcEE5vzxCsGuL2f2zUsCiwnrmF6ypKeiZ7RB06w7WhqaWGmMxTYprBlcarsFa95bVuYr/oBMsPCMO3lm1sowLWI8IRNbVhgKv+k9TYV4D89L6V8e9M1iuI+vTNwQ1Qr5ycEWVmCuLK6O7oFusb6pASUy4q2+fuspwsHBp3Q5XDOcyuuSoUlLBLCn4DNxXgAzFsC1RQ98Wd0607LvI2tp8DWTIzgBHByvbniNSlFwOwzm5nJOsaW3gVGJ00Burm00IqyuJquONiyedCTEPPHAiyBBVjafgp/0HKd5L35sT2GTX6GRfgwfMdEraoiywKvRAZ0wDCwItLmLfXM5g56YToAwnoOn2bjaR8CExMZiJcDRqLiuV2F8nF9VQK30JV5pNqrVf9EN3fKKP+HTO4GV7aQpeKwlOVoGM7ptYHZsB3TAx7L3gI3GnknN52tdzClWtYIB0z78Ju+kpi49WE1aISdF+rLJvWj/1y4Mr0gXzX1lnvGsK53v7hDV5ide6ORnIaJi6UtQjhwYo0K1rXGofajXFuwPrnsFRLpVL+KxOPsyheQRcktOQttRaxzMO/gF+i1/L970/b6C4XISSqWmasvZeLe4HNJ265G5/FycLbqOO223ZwMW5TchdRL5VHmvsRYGfe8NPgelsSB6E9augjBX6icVbS6MBJE05Xh4QUg09cWbXpEqUVUvKz2msAQWD8vTggspzP0d8nXupwoqPzPpEOAafoKPN9n0GLSi9Kw1IkAOvd61jYv8W+3UmJad11OzwNMhKxIwdFNkl0FMNPLDEymmrFYCu522a2nQA54pARAG78cI+mtI+Z1lqHw9iQdtK1AXwvqDqM6JNFQOG9/VPIM3p0D1ps7sfu2eT/R/7WiiuWyKpU7GLyLcoXnrRHWCLgnl4gu5hM19ltvbWemDNznCAjOR/nckIKU3I3MzxOq+DFLIt5i5zZm7KMK80ggYWo9XApxqJU6QFYBt+FxLZZCgy1qG0To29LOBOewHh4hBeamKw3fetQv91mLfj0nxB+9mR4fCs3fNkugjor4reaJCc/a+GdzpBqCE+g2bZrjYhmcY5yb+2D/kIWULa9yXjChlBkSnevqUX8mEgbJ2bxXf9LhSt1a2I281nuSMdbz/v2+iAOSvNksZtV/zPTvVipxqHZbM8nmTnn2Opo3AYKkKvShOkkBxNCMJqBg5Cw9Voqm9mlrRFO/HVvFAVwzSYZJqoNx1g==
X-OriginatorOrg: windriver.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 9ea5c4e4-6fc1-4b0e-68fa-08d9f1a1d42e
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB3992.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Feb 2022 23:12:40.3819
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 ZzGET9WGD3MAQ4fBTJQWVVGoxagrVSekn0O7uY7Ck1efYTTzjc3mmIAajHSx/MkaPhsda3/xX2uksbXCqf8d2HE0aEFYIx1MoeaNszGuExw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4534
X-Proofpoint-ORIG-GUID: r8IM0SyFmhPkm5nzEdhuXRzFR3nB1k0E
X-Proofpoint-GUID: r8IM0SyFmhPkm5nzEdhuXRzFR3nB1k0E
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.205,Aquarius:18.0.816,Hydra:6.0.425,FMLib:17.11.62.513
 definitions=2022-02-16_11,2022-02-16_01,2021-12-02_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 phishscore=0 mlxlogscore=672
 lowpriorityscore=0 clxscore=1015 priorityscore=1501 malwarescore=0
 adultscore=0 spamscore=0 impostorscore=0 suspectscore=0 mlxscore=0
 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2201110000 definitions=main-2202160126
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Wed, 16 Feb 2022 23:12:45 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/161784

Series

[hardknott,1/1] virglrenderer: fix CVE-2022-0135 and -0175 | expand

Commit Message

Slater, Joseph Feb. 16, 2022, 11:12 p.m. UTC

CVE-2022-0135 concerns out-of-bounds writes in read_transfer_data().
CVE-2022-0175 concerns using malloc() instead of calloc().

We cherry-pick from master.

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 91f7511df79c5c1f93add9f2827a5a266453614e)

Modify -0175 patch to apply to hardknott branch.

Signed-off-by: Joe Slater <joe.slater@windriver.com>
---
 .../virglrenderer/cve-2022-0135.patch         | 117 ++++++++++++++++++
 .../virglrenderer/cve-2022-0175.patch         | 112 +++++++++++++++++
 .../virglrenderer/virglrenderer_0.8.2.bb      |   2 +
 3 files changed, 231 insertions(+)
 create mode 100644 meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0135.patch
 create mode 100644 meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0175.patch

Comments

Randy MacLeod Feb. 24, 2022, 1:01 a.m. UTC | #1

Anuj,

Did you miss this one?
I don't see it in:
https://git.openembedded.org/meta-openembedded-contrib/log/?h=hardknott-next

../Randy

On 2022-02-16 18:12, Joe Slater wrote:
> CVE-2022-0135 concerns out-of-bounds writes in read_transfer_data().
> CVE-2022-0175 concerns using malloc() instead of calloc().
>
> We cherry-pick from master.
>
> Signed-off-by: Joe Slater <joe.slater@windriver.com>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> (cherry picked from commit 91f7511df79c5c1f93add9f2827a5a266453614e)
>
> Modify -0175 patch to apply to hardknott branch.
>
> Signed-off-by: Joe Slater <joe.slater@windriver.com>
> ---
>   .../virglrenderer/cve-2022-0135.patch         | 117 ++++++++++++++++++
>   .../virglrenderer/cve-2022-0175.patch         | 112 +++++++++++++++++
>   .../virglrenderer/virglrenderer_0.8.2.bb      |   2 +
>   3 files changed, 231 insertions(+)
>   create mode 100644 meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0135.patch
>   create mode 100644 meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0175.patch
>
> diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0135.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0135.patch
> new file mode 100644
> index 0000000000..ae42dc8f6c
> --- /dev/null
> +++ b/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0135.patch
> @@ -0,0 +1,117 @@
> +From 63aee871365f9c9e7fa9125672302a0fb250d34d Mon Sep 17 00:00:00 2001
> +From: Gert Wollny <gert.wollny@collabora.com>
> +Date: Tue, 30 Nov 2021 09:16:24 +0100
> +Subject: [PATCH 2/2] vrend: propperly check whether the shader image range is
> + correct
> +
> +Also add a test to check the integer underflow.
> +
> +Closes: #251
> +Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
> +Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
> +
> +cherry-pick from anongit.freedesktop.org/virglrenderer
> +commit 2aed5d4...
> +
> +CVE: CVE-2022-0135
> +Upstream-Status: Backport
> +Signed-off-by: Joe Slater <joe.slater@windriver.com>
> +
> +---
> + src/vrend_decode.c          |  3 +-
> + tests/test_fuzzer_formats.c | 57 +++++++++++++++++++++++++++++++++++++
> + 2 files changed, 59 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/vrend_decode.c b/src/vrend_decode.c
> +index 91f5f24..6771b10 100644
> +--- a/src/vrend_decode.c
> ++++ b/src/vrend_decode.c
> +@@ -1249,8 +1249,9 @@ static int vrend_decode_set_shader_images(struct vrend_context *ctx, const uint3
> +    if (num_images < 1) {
> +       return 0;
> +    }
> ++
> +    if (start_slot > PIPE_MAX_SHADER_IMAGES ||
> +-       start_slot > PIPE_MAX_SHADER_IMAGES - num_images)
> ++       start_slot + num_images > PIPE_MAX_SHADER_IMAGES)
> +       return EINVAL;
> +
> +    for (uint32_t i = 0; i < num_images; i++) {
> +diff --git a/tests/test_fuzzer_formats.c b/tests/test_fuzzer_formats.c
> +index 154a2e5..e32caf0 100644
> +--- a/tests/test_fuzzer_formats.c
> ++++ b/tests/test_fuzzer_formats.c
> +@@ -958,6 +958,61 @@ static void test_vrend_set_signle_abo_heap_overflow() {
> +     virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
> + }
> +
> ++static void test_vrend_set_shader_images_overflow()
> ++{
> ++    uint32_t num_shaders = PIPE_MAX_SHADER_IMAGES + 1;
> ++    uint32_t size = num_shaders * VIRGL_SET_SHADER_IMAGE_ELEMENT_SIZE + 3;
> ++    uint32_t cmd[size];
> ++    int i = 0;
> ++    cmd[i++] = ((size - 1)<< 16) | 0 << 8 | VIRGL_CCMD_SET_SHADER_IMAGES;
> ++    cmd[i++] = PIPE_SHADER_FRAGMENT;
> ++    memset(&cmd[i], 0, size - i);
> ++
> ++    virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
> ++}
> ++
> ++/* Test adapted from yaojun8558363@gmail.com:
> ++ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250
> ++*/
> ++static void test_vrend_3d_resource_overflow() {
> ++
> ++    struct virgl_renderer_resource_create_args resource;
> ++    resource.handle = 0x4c474572;
> ++    resource.target = PIPE_TEXTURE_2D_ARRAY;
> ++    resource.format = VIRGL_FORMAT_Z24X8_UNORM;
> ++    resource.nr_samples = 2;
> ++    resource.last_level = 0;
> ++    resource.array_size = 3;
> ++    resource.bind = VIRGL_BIND_SAMPLER_VIEW;
> ++    resource.depth = 1;
> ++    resource.width = 8;
> ++    resource.height = 4;
> ++    resource.flags = 0;
> ++
> ++    virgl_renderer_resource_create(&resource, NULL, 0);
> ++    virgl_renderer_ctx_attach_resource(ctx_id, resource.handle);
> ++
> ++    uint32_t size = 0x400;
> ++    uint32_t cmd[size];
> ++    int i = 0;
> ++    cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE;
> ++    cmd[i++] = resource.handle;
> ++    cmd[i++] = 0; // level
> ++    cmd[i++] = 0; // usage
> ++    cmd[i++] = 0; // stride
> ++    cmd[i++] = 0; // layer_stride
> ++    cmd[i++] = 0; // x
> ++    cmd[i++] = 0; // y
> ++    cmd[i++] = 0; // z
> ++    cmd[i++] = 8; // w
> ++    cmd[i++] = 4; // h
> ++    cmd[i++] = 3; // d
> ++    memset(&cmd[i], 0, size - i);
> ++
> ++    virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
> ++}
> ++
> ++
> + int main()
> + {
> +    initialize_environment();
> +@@ -980,6 +1035,8 @@ int main()
> +    test_cs_nullpointer_deference();
> +    test_vrend_set_signle_abo_heap_overflow();
> +
> ++   test_vrend_set_shader_images_overflow();
> ++   test_vrend_3d_resource_overflow();
> +
> +    virgl_renderer_context_destroy(ctx_id);
> +    virgl_renderer_cleanup(&cookie);
> +--
> +2.25.1
> +
> diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0175.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0175.patch
> new file mode 100644
> index 0000000000..8bbb9eb579
> --- /dev/null
> +++ b/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0175.patch
> @@ -0,0 +1,112 @@
> +From 5ca7aca001092c557f0b6fc1ba3db7dcdab860b7 Mon Sep 17 00:00:00 2001
> +From: Gert Wollny <gert.wollny@collabora.com>
> +Date: Tue, 30 Nov 2021 09:29:42 +0100
> +Subject: [PATCH 1/2] vrend: clear memory when allocating a host-backed memory
> + resource
> +
> +Closes: #249
> +Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
> +Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
> +
> +cherry-pick from anongit.freedesktop.org/virglrenderer
> +commit b05bb61...
> +
> +CVE: CVE-2022-0175
> +Upstream-Status: Backport
> +Signed-off-by: Joe Slater <joe.slater@windriver.com>
> +
> +Patch to vrend_renderer.c modified to apply to version used by hardknott.
> +Patch to test_virgl_transfer.c unchanged.
> +
> +Signed-off-by: Joe Slater <joe.slater@windriver.com>
> +
> +---
> + src/vrend_renderer.c        |  2 +-
> + tests/test_virgl_transfer.c | 51 +++++++++++++++++++++++++++++++++++++
> + 2 files changed, 52 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
> +index ad7a351..d84f785 100644
> +--- a/src/vrend_renderer.c
> ++++ b/src/vrend_renderer.c
> +@@ -6646,7 +6646,7 @@ int vrend_renderer_resource_create(struct vrend_renderer_resource_create_args *a
> +       if (args->bind == VIRGL_BIND_CUSTOM) {
> +          /* use iovec directly when attached */
> +          gr->storage_bits |= VREND_STORAGE_HOST_SYSTEM_MEMORY;
> +-         gr->ptr = malloc(args->width);
> ++         gr->ptr = calloc(1, args->width);
> +          if (!gr->ptr) {
> +             FREE(gr);
> +             return ENOMEM;
> +diff --git a/tests/test_virgl_transfer.c b/tests/test_virgl_transfer.c
> +index 2c8669a..8f8e98a 100644
> +--- a/tests/test_virgl_transfer.c
> ++++ b/tests/test_virgl_transfer.c
> +@@ -952,6 +952,56 @@ START_TEST(virgl_test_transfer_near_res_bounds_with_stride_succeeds)
> + }
> + END_TEST
> +
> ++START_TEST(test_vrend_host_backed_memory_no_data_leak)
> ++{
> ++   struct iovec iovs[1];
> ++   int niovs = 1;
> ++
> ++   struct virgl_context ctx = {0};
> ++
> ++   int ret = testvirgl_init_ctx_cmdbuf(&ctx);
> ++
> ++   struct virgl_renderer_resource_create_args res;
> ++   res.handle = 0x400;
> ++   res.target = PIPE_BUFFER;
> ++   res.format = VIRGL_FORMAT_R8_UNORM;
> ++   res.nr_samples = 0;
> ++   res.last_level = 0;
> ++   res.array_size = 1;
> ++   res.bind = VIRGL_BIND_CUSTOM;
> ++   res.depth = 1;
> ++   res.width = 32;
> ++   res.height = 1;
> ++   res.flags = 0;
> ++
> ++   uint32_t size = 32;
> ++   uint8_t* data = calloc(1, size);
> ++   memset(data, 1, 32);
> ++   iovs[0].iov_base = data;
> ++   iovs[0].iov_len = size;
> ++
> ++   struct pipe_box box = {0,0,0, size, 1,1};
> ++
> ++   virgl_renderer_resource_create(&res, NULL, 0);
> ++   virgl_renderer_ctx_attach_resource(ctx.ctx_id, res.handle);
> ++
> ++   ret = virgl_renderer_transfer_read_iov(res.handle, ctx.ctx_id, 0, 0, 0,
> ++                                          (struct virgl_box *)&box, 0, iovs, niovs);
> ++
> ++   ck_assert_int_eq(ret, 0);
> ++
> ++   for (int i = 0; i < 32; ++i)
> ++      ck_assert_int_eq(data[i], 0);
> ++
> ++   virgl_renderer_ctx_detach_resource(1, res.handle);
> ++
> ++   virgl_renderer_resource_unref(res.handle);
> ++   free(data);
> ++
> ++}
> ++END_TEST
> ++
> ++
> + static Suite *virgl_init_suite(void)
> + {
> +   Suite *s;
> +@@ -981,6 +1031,7 @@ static Suite *virgl_init_suite(void)
> +   tcase_add_test(tc_core, virgl_test_transfer_buffer_bad_strides);
> +   tcase_add_test(tc_core, virgl_test_transfer_2d_array_bad_layer_stride);
> +   tcase_add_test(tc_core, virgl_test_transfer_2d_bad_level);
> ++  tcase_add_test(tc_core, test_vrend_host_backed_memory_no_data_leak);
> +
> +   tcase_add_loop_test(tc_core, virgl_test_transfer_res_read_valid, 0, PIPE_MAX_TEXTURE_TYPES);
> +   tcase_add_loop_test(tc_core, virgl_test_transfer_res_write_valid, 0, PIPE_MAX_TEXTURE_TYPES);
> +--
> +2.31.1
> +
> diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
> index 7f035f820a..d92359565a 100644
> --- a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
> +++ b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
> @@ -13,6 +13,8 @@ SRCREV = "7d204f3927be65fb3365dce01dbcd04d447a4985"
>   SRC_URI = "git://anongit.freedesktop.org/virglrenderer;branch=master \
>              file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \
>              file://0001-meson.build-use-python3-directly-for-python.patch \
> +           file://cve-2022-0135.patch \
> +           file://cve-2022-0175.patch \
>              "
>   
>   S = "${WORKDIR}/git"

Mittal, Anuj Feb. 24, 2022, 2:06 a.m. UTC | #2

On Wed, 2022-02-23 at 20:01 -0500, Randy MacLeod wrote:
> Anuj,
> 
> Did you miss this one?

A hardknott point release, 3.3.5, is in QA right now so I didn't take
patches this week. It will be in next week's pull request.

I have taken this for honister in the meantime.

Thanks,

Anuj

> I don't see it in:
> https://git.openembedded.org/meta-openembedded-contrib/log/?h=hardknott-next
> 
> ../Randy
> 
> On 2022-02-16 18:12, Joe Slater wrote:
> > CVE-2022-0135 concerns out-of-bounds writes in
> > read_transfer_data().
> > CVE-2022-0175 concerns using malloc() instead of calloc().
> > 
> > We cherry-pick from master.
> > 
> > Signed-off-by: Joe Slater <joe.slater@windriver.com>
> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > (cherry picked from commit
> > 91f7511df79c5c1f93add9f2827a5a266453614e)
> > 
> > Modify -0175 patch to apply to hardknott branch.
> > 
> > Signed-off-by: Joe Slater <joe.slater@windriver.com>
> > ---
> >   .../virglrenderer/cve-2022-0135.patch         | 117
> > ++++++++++++++++++
> >   .../virglrenderer/cve-2022-0175.patch         | 112
> > +++++++++++++++++
> >   .../virglrenderer/virglrenderer_0.8.2.bb      |   2 +
> >   3 files changed, 231 insertions(+)
> >   create mode 100644 meta/recipes-
> > graphics/virglrenderer/virglrenderer/cve-2022-0135.patch
> >   create mode 100644 meta/recipes-
> > graphics/virglrenderer/virglrenderer/cve-2022-0175.patch
> > 
> > diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/cve-
> > 2022-0135.patch b/meta/recipes-
> > graphics/virglrenderer/virglrenderer/cve-2022-0135.patch
> > new file mode 100644
> > index 0000000000..ae42dc8f6c
> > --- /dev/null
> > +++ b/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-
> > 0135.patch
> > @@ -0,0 +1,117 @@
> > +From 63aee871365f9c9e7fa9125672302a0fb250d34d Mon Sep 17 00:00:00
> > 2001
> > +From: Gert Wollny <gert.wollny@collabora.com>
> > +Date: Tue, 30 Nov 2021 09:16:24 +0100
> > +Subject: [PATCH 2/2] vrend: propperly check whether the shader
> > image range is
> > + correct
> > +
> > +Also add a test to check the integer underflow.
> > +
> > +Closes: #251
> > +Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
> > +Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
> > +
> > +cherry-pick from anongit.freedesktop.org/virglrenderer
> > +commit 2aed5d4...
> > +
> > +CVE: CVE-2022-0135
> > +Upstream-Status: Backport
> > +Signed-off-by: Joe Slater <joe.slater@windriver.com>
> > +
> > +---
> > + src/vrend_decode.c          |  3 +-
> > + tests/test_fuzzer_formats.c | 57
> > +++++++++++++++++++++++++++++++++++++
> > + 2 files changed, 59 insertions(+), 1 deletion(-)
> > +
> > +diff --git a/src/vrend_decode.c b/src/vrend_decode.c
> > +index 91f5f24..6771b10 100644
> > +--- a/src/vrend_decode.c
> > ++++ b/src/vrend_decode.c
> > +@@ -1249,8 +1249,9 @@ static int
> > vrend_decode_set_shader_images(struct vrend_context *ctx, const
> > uint3
> > +    if (num_images < 1) {
> > +       return 0;
> > +    }
> > ++
> > +    if (start_slot > PIPE_MAX_SHADER_IMAGES ||
> > +-       start_slot > PIPE_MAX_SHADER_IMAGES - num_images)
> > ++       start_slot + num_images > PIPE_MAX_SHADER_IMAGES)
> > +       return EINVAL;
> > +
> > +    for (uint32_t i = 0; i < num_images; i++) {
> > +diff --git a/tests/test_fuzzer_formats.c
> > b/tests/test_fuzzer_formats.c
> > +index 154a2e5..e32caf0 100644
> > +--- a/tests/test_fuzzer_formats.c
> > ++++ b/tests/test_fuzzer_formats.c
> > +@@ -958,6 +958,61 @@ static void
> > test_vrend_set_signle_abo_heap_overflow() {
> > +     virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
> > + }
> > +
> > ++static void test_vrend_set_shader_images_overflow()
> > ++{
> > ++    uint32_t num_shaders = PIPE_MAX_SHADER_IMAGES + 1;
> > ++    uint32_t size = num_shaders *
> > VIRGL_SET_SHADER_IMAGE_ELEMENT_SIZE + 3;
> > ++    uint32_t cmd[size];
> > ++    int i = 0;
> > ++    cmd[i++] = ((size - 1)<< 16) | 0 << 8 |
> > VIRGL_CCMD_SET_SHADER_IMAGES;
> > ++    cmd[i++] = PIPE_SHADER_FRAGMENT;
> > ++    memset(&cmd[i], 0, size - i);
> > ++
> > ++    virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
> > ++}
> > ++
> > ++/* Test adapted from yaojun8558363@gmail.com:
> > ++ *
> > https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250
> > ++*/
> > ++static void test_vrend_3d_resource_overflow() {
> > ++
> > ++    struct virgl_renderer_resource_create_args resource;
> > ++    resource.handle = 0x4c474572;
> > ++    resource.target = PIPE_TEXTURE_2D_ARRAY;
> > ++    resource.format = VIRGL_FORMAT_Z24X8_UNORM;
> > ++    resource.nr_samples = 2;
> > ++    resource.last_level = 0;
> > ++    resource.array_size = 3;
> > ++    resource.bind = VIRGL_BIND_SAMPLER_VIEW;
> > ++    resource.depth = 1;
> > ++    resource.width = 8;
> > ++    resource.height = 4;
> > ++    resource.flags = 0;
> > ++
> > ++    virgl_renderer_resource_create(&resource, NULL, 0);
> > ++    virgl_renderer_ctx_attach_resource(ctx_id, resource.handle);
> > ++
> > ++    uint32_t size = 0x400;
> > ++    uint32_t cmd[size];
> > ++    int i = 0;
> > ++    cmd[i++] = (size - 1) << 16 | 0 << 8 |
> > VIRGL_CCMD_RESOURCE_INLINE_WRITE;
> > ++    cmd[i++] = resource.handle;
> > ++    cmd[i++] = 0; // level
> > ++    cmd[i++] = 0; // usage
> > ++    cmd[i++] = 0; // stride
> > ++    cmd[i++] = 0; // layer_stride
> > ++    cmd[i++] = 0; // x
> > ++    cmd[i++] = 0; // y
> > ++    cmd[i++] = 0; // z
> > ++    cmd[i++] = 8; // w
> > ++    cmd[i++] = 4; // h
> > ++    cmd[i++] = 3; // d
> > ++    memset(&cmd[i], 0, size - i);
> > ++
> > ++    virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
> > ++}
> > ++
> > ++
> > + int main()
> > + {
> > +    initialize_environment();
> > +@@ -980,6 +1035,8 @@ int main()
> > +    test_cs_nullpointer_deference();
> > +    test_vrend_set_signle_abo_heap_overflow();
> > +
> > ++   test_vrend_set_shader_images_overflow();
> > ++   test_vrend_3d_resource_overflow();
> > +
> > +    virgl_renderer_context_destroy(ctx_id);
> > +    virgl_renderer_cleanup(&cookie);
> > +--
> > +2.25.1
> > +
> > diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/cve-
> > 2022-0175.patch b/meta/recipes-
> > graphics/virglrenderer/virglrenderer/cve-2022-0175.patch
> > new file mode 100644
> > index 0000000000..8bbb9eb579
> > --- /dev/null
> > +++ b/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-
> > 0175.patch
> > @@ -0,0 +1,112 @@
> > +From 5ca7aca001092c557f0b6fc1ba3db7dcdab860b7 Mon Sep 17 00:00:00
> > 2001
> > +From: Gert Wollny <gert.wollny@collabora.com>
> > +Date: Tue, 30 Nov 2021 09:29:42 +0100
> > +Subject: [PATCH 1/2] vrend: clear memory when allocating a host-
> > backed memory
> > + resource
> > +
> > +Closes: #249
> > +Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
> > +Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
> > +
> > +cherry-pick from anongit.freedesktop.org/virglrenderer
> > +commit b05bb61...
> > +
> > +CVE: CVE-2022-0175
> > +Upstream-Status: Backport
> > +Signed-off-by: Joe Slater <joe.slater@windriver.com>
> > +
> > +Patch to vrend_renderer.c modified to apply to version used by
> > hardknott.
> > +Patch to test_virgl_transfer.c unchanged.
> > +
> > +Signed-off-by: Joe Slater <joe.slater@windriver.com>
> > +
> > +---
> > + src/vrend_renderer.c        |  2 +-
> > + tests/test_virgl_transfer.c | 51
> > +++++++++++++++++++++++++++++++++++++
> > + 2 files changed, 52 insertions(+), 1 deletion(-)
> > +
> > +diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
> > +index ad7a351..d84f785 100644
> > +--- a/src/vrend_renderer.c
> > ++++ b/src/vrend_renderer.c
> > +@@ -6646,7 +6646,7 @@ int vrend_renderer_resource_create(struct
> > vrend_renderer_resource_create_args *a
> > +       if (args->bind == VIRGL_BIND_CUSTOM) {
> > +          /* use iovec directly when attached */
> > +          gr->storage_bits |= VREND_STORAGE_HOST_SYSTEM_MEMORY;
> > +-         gr->ptr = malloc(args->width);
> > ++         gr->ptr = calloc(1, args->width);
> > +          if (!gr->ptr) {
> > +             FREE(gr);
> > +             return ENOMEM;
> > +diff --git a/tests/test_virgl_transfer.c
> > b/tests/test_virgl_transfer.c
> > +index 2c8669a..8f8e98a 100644
> > +--- a/tests/test_virgl_transfer.c
> > ++++ b/tests/test_virgl_transfer.c
> > +@@ -952,6 +952,56 @@
> > START_TEST(virgl_test_transfer_near_res_bounds_with_stride_succeeds
> > )
> > + }
> > + END_TEST
> > +
> > ++START_TEST(test_vrend_host_backed_memory_no_data_leak)
> > ++{
> > ++   struct iovec iovs[1];
> > ++   int niovs = 1;
> > ++
> > ++   struct virgl_context ctx = {0};
> > ++
> > ++   int ret = testvirgl_init_ctx_cmdbuf(&ctx);
> > ++
> > ++   struct virgl_renderer_resource_create_args res;
> > ++   res.handle = 0x400;
> > ++   res.target = PIPE_BUFFER;
> > ++   res.format = VIRGL_FORMAT_R8_UNORM;
> > ++   res.nr_samples = 0;
> > ++   res.last_level = 0;
> > ++   res.array_size = 1;
> > ++   res.bind = VIRGL_BIND_CUSTOM;
> > ++   res.depth = 1;
> > ++   res.width = 32;
> > ++   res.height = 1;
> > ++   res.flags = 0;
> > ++
> > ++   uint32_t size = 32;
> > ++   uint8_t* data = calloc(1, size);
> > ++   memset(data, 1, 32);
> > ++   iovs[0].iov_base = data;
> > ++   iovs[0].iov_len = size;
> > ++
> > ++   struct pipe_box box = {0,0,0, size, 1,1};
> > ++
> > ++   virgl_renderer_resource_create(&res, NULL, 0);
> > ++   virgl_renderer_ctx_attach_resource(ctx.ctx_id, res.handle);
> > ++
> > ++   ret = virgl_renderer_transfer_read_iov(res.handle, ctx.ctx_id,
> > 0, 0, 0,
> > ++                                          (struct virgl_box
> > *)&box, 0, iovs, niovs);
> > ++
> > ++   ck_assert_int_eq(ret, 0);
> > ++
> > ++   for (int i = 0; i < 32; ++i)
> > ++      ck_assert_int_eq(data[i], 0);
> > ++
> > ++   virgl_renderer_ctx_detach_resource(1, res.handle);
> > ++
> > ++   virgl_renderer_resource_unref(res.handle);
> > ++   free(data);
> > ++
> > ++}
> > ++END_TEST
> > ++
> > ++
> > + static Suite *virgl_init_suite(void)
> > + {
> > +   Suite *s;
> > +@@ -981,6 +1031,7 @@ static Suite *virgl_init_suite(void)
> > +   tcase_add_test(tc_core,
> > virgl_test_transfer_buffer_bad_strides);
> > +   tcase_add_test(tc_core,
> > virgl_test_transfer_2d_array_bad_layer_stride);
> > +   tcase_add_test(tc_core, virgl_test_transfer_2d_bad_level);
> > ++  tcase_add_test(tc_core,
> > test_vrend_host_backed_memory_no_data_leak);
> > +
> > +   tcase_add_loop_test(tc_core,
> > virgl_test_transfer_res_read_valid, 0, PIPE_MAX_TEXTURE_TYPES);
> > +   tcase_add_loop_test(tc_core,
> > virgl_test_transfer_res_write_valid, 0, PIPE_MAX_TEXTURE_TYPES);
> > +--
> > +2.31.1
> > +
> > diff --git a/meta/recipes-
> > graphics/virglrenderer/virglrenderer_0.8.2.bb b/meta/recipes-
> > graphics/virglrenderer/virglrenderer_0.8.2.bb
> > index 7f035f820a..d92359565a 100644
> > --- a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
> > +++ b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
> > @@ -13,6 +13,8 @@ SRCREV =
> > "7d204f3927be65fb3365dce01dbcd04d447a4985"
> >   SRC_URI =
> > "git://anongit.freedesktop.org/virglrenderer;branch=master \
> >             
> > file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch
> >  \
> >             
> > file://0001-meson.build-use-python3-directly-for-python.patch \
> > +           file://cve-2022-0135.patch \
> > +           file://cve-2022-0175.patch \
> >              "
> >   
> >   S = "${WORKDIR}/git"
> 
>

diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0135.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0135.patch
new file mode 100644
index 0000000000..ae42dc8f6c
--- /dev/null
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0135.patch
@@ -0,0 +1,117 @@ 
+From 63aee871365f9c9e7fa9125672302a0fb250d34d Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny@collabora.com>
+Date: Tue, 30 Nov 2021 09:16:24 +0100
+Subject: [PATCH 2/2] vrend: propperly check whether the shader image range is
+ correct
+
+Also add a test to check the integer underflow.
+
+Closes: #251
+Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
+Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
+
+cherry-pick from anongit.freedesktop.org/virglrenderer
+commit 2aed5d4...
+
+CVE: CVE-2022-0135
+Upstream-Status: Backport
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+---
+ src/vrend_decode.c          |  3 +-
+ tests/test_fuzzer_formats.c | 57 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 59 insertions(+), 1 deletion(-)
+
+diff --git a/src/vrend_decode.c b/src/vrend_decode.c
+index 91f5f24..6771b10 100644
+--- a/src/vrend_decode.c
++++ b/src/vrend_decode.c
+@@ -1249,8 +1249,9 @@ static int vrend_decode_set_shader_images(struct vrend_context *ctx, const uint3
+    if (num_images < 1) {
+       return 0;
+    }
++
+    if (start_slot > PIPE_MAX_SHADER_IMAGES ||
+-       start_slot > PIPE_MAX_SHADER_IMAGES - num_images)
++       start_slot + num_images > PIPE_MAX_SHADER_IMAGES)
+       return EINVAL;
+ 
+    for (uint32_t i = 0; i < num_images; i++) {
+diff --git a/tests/test_fuzzer_formats.c b/tests/test_fuzzer_formats.c
+index 154a2e5..e32caf0 100644
+--- a/tests/test_fuzzer_formats.c
++++ b/tests/test_fuzzer_formats.c
+@@ -958,6 +958,61 @@ static void test_vrend_set_signle_abo_heap_overflow() {
+     virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
+ }
+ 
++static void test_vrend_set_shader_images_overflow()
++{
++    uint32_t num_shaders = PIPE_MAX_SHADER_IMAGES + 1;
++    uint32_t size = num_shaders * VIRGL_SET_SHADER_IMAGE_ELEMENT_SIZE + 3;
++    uint32_t cmd[size];
++    int i = 0;
++    cmd[i++] = ((size - 1)<< 16) | 0 << 8 | VIRGL_CCMD_SET_SHADER_IMAGES;
++    cmd[i++] = PIPE_SHADER_FRAGMENT;
++    memset(&cmd[i], 0, size - i);
++
++    virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
++}
++
++/* Test adapted from yaojun8558363@gmail.com:
++ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250
++*/
++static void test_vrend_3d_resource_overflow() {
++
++    struct virgl_renderer_resource_create_args resource;
++    resource.handle = 0x4c474572;
++    resource.target = PIPE_TEXTURE_2D_ARRAY;
++    resource.format = VIRGL_FORMAT_Z24X8_UNORM;
++    resource.nr_samples = 2;
++    resource.last_level = 0;
++    resource.array_size = 3;
++    resource.bind = VIRGL_BIND_SAMPLER_VIEW;
++    resource.depth = 1;
++    resource.width = 8;
++    resource.height = 4;
++    resource.flags = 0;
++
++    virgl_renderer_resource_create(&resource, NULL, 0);
++    virgl_renderer_ctx_attach_resource(ctx_id, resource.handle);
++
++    uint32_t size = 0x400;
++    uint32_t cmd[size];
++    int i = 0;
++    cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE;
++    cmd[i++] = resource.handle;
++    cmd[i++] = 0; // level
++    cmd[i++] = 0; // usage
++    cmd[i++] = 0; // stride
++    cmd[i++] = 0; // layer_stride
++    cmd[i++] = 0; // x
++    cmd[i++] = 0; // y
++    cmd[i++] = 0; // z
++    cmd[i++] = 8; // w
++    cmd[i++] = 4; // h
++    cmd[i++] = 3; // d
++    memset(&cmd[i], 0, size - i);
++
++    virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
++}
++
++
+ int main()
+ {
+    initialize_environment();
+@@ -980,6 +1035,8 @@ int main()
+    test_cs_nullpointer_deference();
+    test_vrend_set_signle_abo_heap_overflow();
+ 
++   test_vrend_set_shader_images_overflow();
++   test_vrend_3d_resource_overflow();
+ 
+    virgl_renderer_context_destroy(ctx_id);
+    virgl_renderer_cleanup(&cookie);
+-- 
+2.25.1
+
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0175.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0175.patch
new file mode 100644
index 0000000000..8bbb9eb579
--- /dev/null
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0175.patch
@@ -0,0 +1,112 @@ 
+From 5ca7aca001092c557f0b6fc1ba3db7dcdab860b7 Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny@collabora.com>
+Date: Tue, 30 Nov 2021 09:29:42 +0100
+Subject: [PATCH 1/2] vrend: clear memory when allocating a host-backed memory
+ resource
+
+Closes: #249
+Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
+Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
+
+cherry-pick from anongit.freedesktop.org/virglrenderer
+commit b05bb61...
+
+CVE: CVE-2022-0175
+Upstream-Status: Backport
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+Patch to vrend_renderer.c modified to apply to version used by hardknott.
+Patch to test_virgl_transfer.c unchanged.
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+---
+ src/vrend_renderer.c        |  2 +-
+ tests/test_virgl_transfer.c | 51 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 52 insertions(+), 1 deletion(-)
+
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
+index ad7a351..d84f785 100644
+--- a/src/vrend_renderer.c
++++ b/src/vrend_renderer.c
+@@ -6646,7 +6646,7 @@ int vrend_renderer_resource_create(struct vrend_renderer_resource_create_args *a
+       if (args->bind == VIRGL_BIND_CUSTOM) {
+          /* use iovec directly when attached */
+          gr->storage_bits |= VREND_STORAGE_HOST_SYSTEM_MEMORY;
+-         gr->ptr = malloc(args->width);
++         gr->ptr = calloc(1, args->width);
+          if (!gr->ptr) {
+             FREE(gr);
+             return ENOMEM;
+diff --git a/tests/test_virgl_transfer.c b/tests/test_virgl_transfer.c
+index 2c8669a..8f8e98a 100644
+--- a/tests/test_virgl_transfer.c
++++ b/tests/test_virgl_transfer.c
+@@ -952,6 +952,56 @@ START_TEST(virgl_test_transfer_near_res_bounds_with_stride_succeeds)
+ }
+ END_TEST
+ 
++START_TEST(test_vrend_host_backed_memory_no_data_leak)
++{
++   struct iovec iovs[1];
++   int niovs = 1;
++
++   struct virgl_context ctx = {0};
++
++   int ret = testvirgl_init_ctx_cmdbuf(&ctx);
++
++   struct virgl_renderer_resource_create_args res;
++   res.handle = 0x400;
++   res.target = PIPE_BUFFER;
++   res.format = VIRGL_FORMAT_R8_UNORM;
++   res.nr_samples = 0;
++   res.last_level = 0;
++   res.array_size = 1;
++   res.bind = VIRGL_BIND_CUSTOM;
++   res.depth = 1;
++   res.width = 32;
++   res.height = 1;
++   res.flags = 0;
++
++   uint32_t size = 32;
++   uint8_t* data = calloc(1, size);
++   memset(data, 1, 32);
++   iovs[0].iov_base = data;
++   iovs[0].iov_len = size;
++
++   struct pipe_box box = {0,0,0, size, 1,1};
++
++   virgl_renderer_resource_create(&res, NULL, 0);
++   virgl_renderer_ctx_attach_resource(ctx.ctx_id, res.handle);
++
++   ret = virgl_renderer_transfer_read_iov(res.handle, ctx.ctx_id, 0, 0, 0,
++                                          (struct virgl_box *)&box, 0, iovs, niovs);
++
++   ck_assert_int_eq(ret, 0);
++
++   for (int i = 0; i < 32; ++i)
++      ck_assert_int_eq(data[i], 0);
++
++   virgl_renderer_ctx_detach_resource(1, res.handle);
++
++   virgl_renderer_resource_unref(res.handle);
++   free(data);
++
++}
++END_TEST
++
++
+ static Suite *virgl_init_suite(void)
+ {
+   Suite *s;
+@@ -981,6 +1031,7 @@ static Suite *virgl_init_suite(void)
+   tcase_add_test(tc_core, virgl_test_transfer_buffer_bad_strides);
+   tcase_add_test(tc_core, virgl_test_transfer_2d_array_bad_layer_stride);
+   tcase_add_test(tc_core, virgl_test_transfer_2d_bad_level);
++  tcase_add_test(tc_core, test_vrend_host_backed_memory_no_data_leak);
+ 
+   tcase_add_loop_test(tc_core, virgl_test_transfer_res_read_valid, 0, PIPE_MAX_TEXTURE_TYPES);
+   tcase_add_loop_test(tc_core, virgl_test_transfer_res_write_valid, 0, PIPE_MAX_TEXTURE_TYPES);
+-- 
+2.31.1
+
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
index 7f035f820a..d92359565a 100644
--- a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
@@ -13,6 +13,8 @@  SRCREV = "7d204f3927be65fb3365dce01dbcd04d447a4985"
 SRC_URI = "git://anongit.freedesktop.org/virglrenderer;branch=master \
            file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \
            file://0001-meson.build-use-python3-directly-for-python.patch \
+           file://cve-2022-0135.patch \
+           file://cve-2022-0175.patch \
            "
 
 S = "${WORKDIR}/git"