new file mode 100644
@@ -0,0 +1,117 @@
+From 63aee871365f9c9e7fa9125672302a0fb250d34d Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny@collabora.com>
+Date: Tue, 30 Nov 2021 09:16:24 +0100
+Subject: [PATCH 2/2] vrend: propperly check whether the shader image range is
+ correct
+
+Also add a test to check the integer underflow.
+
+Closes: #251
+Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
+Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
+
+cherry-pick from anongit.freedesktop.org/virglrenderer
+commit 2aed5d4...
+
+CVE: CVE-2022-0135
+Upstream-Status: Backport
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+---
+ src/vrend_decode.c | 3 +-
+ tests/test_fuzzer_formats.c | 57 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 59 insertions(+), 1 deletion(-)
+
+diff --git a/src/vrend_decode.c b/src/vrend_decode.c
+index 91f5f24..6771b10 100644
+--- a/src/vrend_decode.c
++++ b/src/vrend_decode.c
+@@ -1249,8 +1249,9 @@ static int vrend_decode_set_shader_images(struct vrend_context *ctx, const uint3
+ if (num_images < 1) {
+ return 0;
+ }
++
+ if (start_slot > PIPE_MAX_SHADER_IMAGES ||
+- start_slot > PIPE_MAX_SHADER_IMAGES - num_images)
++ start_slot + num_images > PIPE_MAX_SHADER_IMAGES)
+ return EINVAL;
+
+ for (uint32_t i = 0; i < num_images; i++) {
+diff --git a/tests/test_fuzzer_formats.c b/tests/test_fuzzer_formats.c
+index 154a2e5..e32caf0 100644
+--- a/tests/test_fuzzer_formats.c
++++ b/tests/test_fuzzer_formats.c
+@@ -958,6 +958,61 @@ static void test_vrend_set_signle_abo_heap_overflow() {
+ virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
+ }
+
++static void test_vrend_set_shader_images_overflow()
++{
++ uint32_t num_shaders = PIPE_MAX_SHADER_IMAGES + 1;
++ uint32_t size = num_shaders * VIRGL_SET_SHADER_IMAGE_ELEMENT_SIZE + 3;
++ uint32_t cmd[size];
++ int i = 0;
++ cmd[i++] = ((size - 1)<< 16) | 0 << 8 | VIRGL_CCMD_SET_SHADER_IMAGES;
++ cmd[i++] = PIPE_SHADER_FRAGMENT;
++ memset(&cmd[i], 0, size - i);
++
++ virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
++}
++
++/* Test adapted from yaojun8558363@gmail.com:
++ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250
++*/
++static void test_vrend_3d_resource_overflow() {
++
++ struct virgl_renderer_resource_create_args resource;
++ resource.handle = 0x4c474572;
++ resource.target = PIPE_TEXTURE_2D_ARRAY;
++ resource.format = VIRGL_FORMAT_Z24X8_UNORM;
++ resource.nr_samples = 2;
++ resource.last_level = 0;
++ resource.array_size = 3;
++ resource.bind = VIRGL_BIND_SAMPLER_VIEW;
++ resource.depth = 1;
++ resource.width = 8;
++ resource.height = 4;
++ resource.flags = 0;
++
++ virgl_renderer_resource_create(&resource, NULL, 0);
++ virgl_renderer_ctx_attach_resource(ctx_id, resource.handle);
++
++ uint32_t size = 0x400;
++ uint32_t cmd[size];
++ int i = 0;
++ cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE;
++ cmd[i++] = resource.handle;
++ cmd[i++] = 0; // level
++ cmd[i++] = 0; // usage
++ cmd[i++] = 0; // stride
++ cmd[i++] = 0; // layer_stride
++ cmd[i++] = 0; // x
++ cmd[i++] = 0; // y
++ cmd[i++] = 0; // z
++ cmd[i++] = 8; // w
++ cmd[i++] = 4; // h
++ cmd[i++] = 3; // d
++ memset(&cmd[i], 0, size - i);
++
++ virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
++}
++
++
+ int main()
+ {
+ initialize_environment();
+@@ -980,6 +1035,8 @@ int main()
+ test_cs_nullpointer_deference();
+ test_vrend_set_signle_abo_heap_overflow();
+
++ test_vrend_set_shader_images_overflow();
++ test_vrend_3d_resource_overflow();
+
+ virgl_renderer_context_destroy(ctx_id);
+ virgl_renderer_cleanup(&cookie);
+--
+2.25.1
+
new file mode 100644
@@ -0,0 +1,107 @@
+From 5ca7aca001092c557f0b6fc1ba3db7dcdab860b7 Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny@collabora.com>
+Date: Tue, 30 Nov 2021 09:29:42 +0100
+Subject: [PATCH 1/2] vrend: clear memory when allocating a host-backed memory
+ resource
+
+Closes: #249
+Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
+Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
+
+cherry-pick from anongit.freedesktop.org/virglrenderer
+commit b05bb61...
+
+CVE: CVE-2022-0175
+Upstream-Status: Backport
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+---
+ src/vrend_renderer.c | 2 +-
+ tests/test_virgl_transfer.c | 51 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 52 insertions(+), 1 deletion(-)
+
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
+index b8b2a36..2650cf2 100644
+--- a/src/vrend_renderer.c
++++ b/src/vrend_renderer.c
+@@ -6788,7 +6788,7 @@ vrend_resource_alloc_buffer(struct vrend_resource *gr, uint32_t flags)
+ if (bind == VIRGL_BIND_CUSTOM) {
+ /* use iovec directly when attached */
+ gr->storage_bits |= VREND_STORAGE_HOST_SYSTEM_MEMORY;
+- gr->ptr = malloc(size);
++ gr->ptr = calloc(1, size);
+ if (!gr->ptr)
+ return -ENOMEM;
+ } else if (bind == VIRGL_BIND_STAGING) {
+diff --git a/tests/test_virgl_transfer.c b/tests/test_virgl_transfer.c
+index bf7f438..3c53c3d 100644
+--- a/tests/test_virgl_transfer.c
++++ b/tests/test_virgl_transfer.c
+@@ -952,6 +952,56 @@ START_TEST(virgl_test_transfer_near_res_bounds_with_stride_succeeds)
+ }
+ END_TEST
+
++START_TEST(test_vrend_host_backed_memory_no_data_leak)
++{
++ struct iovec iovs[1];
++ int niovs = 1;
++
++ struct virgl_context ctx = {0};
++
++ int ret = testvirgl_init_ctx_cmdbuf(&ctx);
++
++ struct virgl_renderer_resource_create_args res;
++ res.handle = 0x400;
++ res.target = PIPE_BUFFER;
++ res.format = VIRGL_FORMAT_R8_UNORM;
++ res.nr_samples = 0;
++ res.last_level = 0;
++ res.array_size = 1;
++ res.bind = VIRGL_BIND_CUSTOM;
++ res.depth = 1;
++ res.width = 32;
++ res.height = 1;
++ res.flags = 0;
++
++ uint32_t size = 32;
++ uint8_t* data = calloc(1, size);
++ memset(data, 1, 32);
++ iovs[0].iov_base = data;
++ iovs[0].iov_len = size;
++
++ struct pipe_box box = {0,0,0, size, 1,1};
++
++ virgl_renderer_resource_create(&res, NULL, 0);
++ virgl_renderer_ctx_attach_resource(ctx.ctx_id, res.handle);
++
++ ret = virgl_renderer_transfer_read_iov(res.handle, ctx.ctx_id, 0, 0, 0,
++ (struct virgl_box *)&box, 0, iovs, niovs);
++
++ ck_assert_int_eq(ret, 0);
++
++ for (int i = 0; i < 32; ++i)
++ ck_assert_int_eq(data[i], 0);
++
++ virgl_renderer_ctx_detach_resource(1, res.handle);
++
++ virgl_renderer_resource_unref(res.handle);
++ free(data);
++
++}
++END_TEST
++
++
+ static Suite *virgl_init_suite(void)
+ {
+ Suite *s;
+@@ -981,6 +1031,7 @@ static Suite *virgl_init_suite(void)
+ tcase_add_test(tc_core, virgl_test_transfer_buffer_bad_strides);
+ tcase_add_test(tc_core, virgl_test_transfer_2d_array_bad_layer_stride);
+ tcase_add_test(tc_core, virgl_test_transfer_2d_bad_level);
++ tcase_add_test(tc_core, test_vrend_host_backed_memory_no_data_leak);
+
+ tcase_add_loop_test(tc_core, virgl_test_transfer_res_read_valid, 0, PIPE_MAX_TEXTURE_TYPES);
+ tcase_add_loop_test(tc_core, virgl_test_transfer_res_write_valid, 0, PIPE_MAX_TEXTURE_TYPES);
+--
+2.25.1
+
@@ -12,6 +12,8 @@ DEPENDS = "libdrm virtual/libgl virtual/libgbm libepoxy"
SRCREV = "363915595e05fb252e70d6514be2f0c0b5ca312b"
SRC_URI = "git://anongit.freedesktop.org/virglrenderer;branch=branch-0.9.1 \
file://0001-meson.build-use-python3-directly-for-python.patch \
+ file://cve-2022-0135.patch \
+ file://cve-2022-0175.patch \
"
S = "${WORKDIR}/git"
CVE-2022-0135 concerns out-of-bounds writes in read_transfer_data(). CVE-2022-0175 concerns using malloc() instead of calloc(). We "cherry-pick" from upstream. The actual cherry-picks are from upstream master to branch-0.9.1 and are the patches entered here. Signed-off-by: Joe Slater <joe.slater@windriver.com> --- .../virglrenderer/cve-2022-0135.patch | 117 ++++++++++++++++++ .../virglrenderer/cve-2022-0175.patch | 107 ++++++++++++++++ .../virglrenderer/virglrenderer_0.9.1.bb | 2 + 3 files changed, 226 insertions(+) create mode 100644 meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0135.patch create mode 100644 meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0175.patch