diff options
author | Dave Airlie <[email protected]> | 2013-05-30 09:51:41 +1000 |
---|---|---|
committer | Dave Airlie <[email protected]> | 2013-05-30 12:59:34 +1000 |
commit | 98dfd59a0445666060c97b0dccaf0e9f030b547a (patch) | |
tree | 2e40353b8096a048e14cb4d1ade37738623b3603 | |
parent | 02fe736cc0e6866daa50aaae1ed7b977522eaf65 (diff) |
i965: fix problem with constant out of bounds access (v2)
This is my attempt at fixing this as the CVE is making RH security team
care enough to make me look at this. (please upstream, security fixes are
more important than whatever else you are doing, if for no other reason than
it saves me having to fix stuff I've no real clue about).
Since Frank's original fix was denied, here is my attempt to just
alias all constants that are out of bounds < 0 or > nr_params to constant 0,
hopefully this provides the undefined behaviour idr requires..
CVE-2013-1872
v2: drop the last hunk which was a separate fix (now in master).
hopefully fix the indentations.
NOTE: This is a candidate for stable branches.
Reviewed-by: Kenneth Graunke <[email protected]>
Signed-off-by: Dave Airlie <[email protected]>
-rw-r--r-- | src/mesa/drivers/dri/i965/brw_fs.cpp | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/src/mesa/drivers/dri/i965/brw_fs.cpp b/src/mesa/drivers/dri/i965/brw_fs.cpp index baaa25c1347..9efdfc8e485 100644 --- a/src/mesa/drivers/dri/i965/brw_fs.cpp +++ b/src/mesa/drivers/dri/i965/brw_fs.cpp @@ -1504,7 +1504,13 @@ fs_visitor::remove_dead_constants() if (inst->src[i].file != UNIFORM) continue; - assert(constant_nr < (int)c->prog_data.nr_params); + /* if we get a negative constant nr or one greater than we can + * handle, this can cause an overflow, we can't just refuse to + * build, so just go undefined and alias everyone to constant 0. + */ + if (constant_nr < 0 || constant_nr >= (int)c->prog_data.nr_params) { + constant_nr = 0; + } /* For now, set this to non-negative. We'll give it the * actual new number in a moment, in order to keep the @@ -1552,6 +1558,10 @@ fs_visitor::remove_dead_constants() if (inst->src[i].file != UNIFORM) continue; + /* as above alias to 0 */ + if (constant_nr < 0 || constant_nr >= (int)c->prog_data.nr_params) { + constant_nr = 0; + } assert(this->params_remap[constant_nr] != -1); inst->src[i].reg = this->params_remap[constant_nr]; inst->src[i].reg_offset = 0; |