aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDave Airlie <[email protected]>2013-05-30 09:51:41 +1000
committerDave Airlie <[email protected]>2013-05-30 12:59:34 +1000
commit98dfd59a0445666060c97b0dccaf0e9f030b547a (patch)
tree2e40353b8096a048e14cb4d1ade37738623b3603
parent02fe736cc0e6866daa50aaae1ed7b977522eaf65 (diff)
i965: fix problem with constant out of bounds access (v2)
This is my attempt at fixing this as the CVE is making RH security team care enough to make me look at this. (please upstream, security fixes are more important than whatever else you are doing, if for no other reason than it saves me having to fix stuff I've no real clue about). Since Frank's original fix was denied, here is my attempt to just alias all constants that are out of bounds < 0 or > nr_params to constant 0, hopefully this provides the undefined behaviour idr requires.. CVE-2013-1872 v2: drop the last hunk which was a separate fix (now in master). hopefully fix the indentations. NOTE: This is a candidate for stable branches. Reviewed-by: Kenneth Graunke <[email protected]> Signed-off-by: Dave Airlie <[email protected]>
-rw-r--r--src/mesa/drivers/dri/i965/brw_fs.cpp12
1 files changed, 11 insertions, 1 deletions
diff --git a/src/mesa/drivers/dri/i965/brw_fs.cpp b/src/mesa/drivers/dri/i965/brw_fs.cpp
index baaa25c1347..9efdfc8e485 100644
--- a/src/mesa/drivers/dri/i965/brw_fs.cpp
+++ b/src/mesa/drivers/dri/i965/brw_fs.cpp
@@ -1504,7 +1504,13 @@ fs_visitor::remove_dead_constants()
if (inst->src[i].file != UNIFORM)
continue;
- assert(constant_nr < (int)c->prog_data.nr_params);
+ /* if we get a negative constant nr or one greater than we can
+ * handle, this can cause an overflow, we can't just refuse to
+ * build, so just go undefined and alias everyone to constant 0.
+ */
+ if (constant_nr < 0 || constant_nr >= (int)c->prog_data.nr_params) {
+ constant_nr = 0;
+ }
/* For now, set this to non-negative. We'll give it the
* actual new number in a moment, in order to keep the
@@ -1552,6 +1558,10 @@ fs_visitor::remove_dead_constants()
if (inst->src[i].file != UNIFORM)
continue;
+ /* as above alias to 0 */
+ if (constant_nr < 0 || constant_nr >= (int)c->prog_data.nr_params) {
+ constant_nr = 0;
+ }
assert(this->params_remap[constant_nr] != -1);
inst->src[i].reg = this->params_remap[constant_nr];
inst->src[i].reg_offset = 0;