[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1025700: marked as done (bullseye-pu: package virglrenderer/0.8.2-5+deb11u1)



Your message dated Sat, 17 Dec 2022 10:57:10 +0000
with message-id <03e9b90cf2f149b9e2835590c9ec0ccb048b744d.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 11.6
has caused the Debian Bug report #1025700,
regarding bullseye-pu: package virglrenderer/0.8.2-5+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1025700: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025700
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Gert Wollny <gewo@debian.org>

(CC'ing Gert Wollny <gewo@debian.org> as maintainer of virglrenderer so he is aware)

[ Reason ]

I'm currently preparing a security update for virglrenderer for LTS
and figured out that there is one of the fixed CVEs is not adressed in bullseye
yet.

The CVE fixed is CVE-2022-0135: (#1009073)

To have this CVE also fixed in bullseye, I'm asking for permission to upload a
targeted fix for the next stable point release.

The changes are on this branch:
https://salsa.debian.org/debian/virglrenderer/-/tree/debian/bullseye
namely adding this patch:
https://salsa.debian.org/debian/virglrenderer/-/blob/debian/bullseye/debian/patches/CVE-2022-0135.patch


[ Impact ]
The description of CVE-2022-0135 is:
 An out-of-bounds write issue was found in the VirGL virtual OpenGL renderer
 (virglrenderer). This flaw allows a malicious guest to create a specially
 crafted virgil resource and then issue a VIRTGPU_EXECBUFFER ioctl, leading to a
 denial of service or possible code execution.

[ Tests ]

Upstream provides a unit-text which covers this CVE.

[ Risks ]

The patch is taken from upstream:
https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

-- 
tobi
diff -Nru virglrenderer-0.8.2/debian/changelog virglrenderer-0.8.2/debian/changelog
--- virglrenderer-0.8.2/debian/changelog	2020-12-07 13:38:41.000000000 +0100
+++ virglrenderer-0.8.2/debian/changelog	2022-12-07 17:24:59.000000000 +0100
@@ -1,3 +1,10 @@
+virglrenderer (0.8.2-5+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload by the LTS Security Team.
+  * Cherry-pick upstream fix for CVE-2022-0135. (Closes: #1009073)
+
+ -- Tobias Frost <tobi@debian.org>  Wed, 07 Dec 2022 17:24:59 +0100
+
 virglrenderer (0.8.2-5) unstable; urgency=medium
 
   [ Christian Ehrhardt ]
diff -Nru virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch
--- virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch	1970-01-01 01:00:00.000000000 +0100
+++ virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch	2022-12-07 17:24:59.000000000 +0100
@@ -0,0 +1,83 @@
+Description: CVE-2022-0135
+ An out-of-bounds write issue was found in the VirGL virtual OpenGL
+ renderer (virglrenderer). This flaw allows a malicious guest to create a
+ specially crafted virgil resource and then issue a VIRTGPU_EXECBUFFER ioctl,
+ leading to a denial of service or possible code execution.  
+Origin: https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009073
+Last-Update: 2022-12-05 <YYYY-MM-DD, last update of the meta-information, optional>
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/vrend_renderer.c
++++ b/src/vrend_renderer.c
+@@ -7097,8 +7097,11 @@
+                                           info->box->height) * elsize;
+       if (res->target == GL_TEXTURE_3D ||
+           res->target == GL_TEXTURE_2D_ARRAY ||
++          res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY ||
+           res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
+           send_size *= info->box->depth;
++      else if (need_temp && info->box->depth != 1)
++         return EINVAL;
+ 
+       if (need_temp) {
+          data = malloc(send_size);
+--- a/tests/test_fuzzer_formats.c
++++ b/tests/test_fuzzer_formats.c
+@@ -958,6 +958,48 @@
+     virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
+ }
+ 
++/* Test adapted from yaojun8558363@gmail.com:
++ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250
++*/
++static void test_vrend_3d_resource_overflow() {
++
++    struct virgl_renderer_resource_create_args resource;
++    resource.handle = 0x4c474572;
++    resource.target = PIPE_TEXTURE_2D_ARRAY;
++    resource.format = VIRGL_FORMAT_Z24X8_UNORM;
++    resource.nr_samples = 2;
++    resource.last_level = 0;
++    resource.array_size = 3;
++    resource.bind = VIRGL_BIND_SAMPLER_VIEW;
++    resource.depth = 1;
++    resource.width = 8;
++    resource.height = 4;
++    resource.flags = 0;
++
++    virgl_renderer_resource_create(&resource, NULL, 0);
++    virgl_renderer_ctx_attach_resource(ctx_id, resource.handle);
++
++    uint32_t size = 0x400;
++    uint32_t cmd[size];
++    int i = 0;
++    cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE;
++    cmd[i++] = resource.handle;
++    cmd[i++] = 0; // level
++    cmd[i++] = 0; // usage
++    cmd[i++] = 0; // stride
++    cmd[i++] = 0; // layer_stride
++    cmd[i++] = 0; // x
++    cmd[i++] = 0; // y
++    cmd[i++] = 0; // z
++    cmd[i++] = 8; // w
++    cmd[i++] = 4; // h
++    cmd[i++] = 3; // d
++    memset(&cmd[i], 0, size - i);
++
++    virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
++}
++
++
+ int main()
+ {
+    initialize_environment();
+@@ -980,6 +1022,7 @@
+    test_cs_nullpointer_deference();
+    test_vrend_set_signle_abo_heap_overflow();
+ 
++   test_vrend_3d_resource_overflow();
+ 
+    virgl_renderer_context_destroy(ctx_id);
+    virgl_renderer_cleanup(&cookie);
diff -Nru virglrenderer-0.8.2/debian/patches/series virglrenderer-0.8.2/debian/patches/series
--- virglrenderer-0.8.2/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ virglrenderer-0.8.2/debian/patches/series	2022-12-07 17:24:59.000000000 +0100
@@ -0,0 +1 @@
+CVE-2022-0135.patch

--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.6

Hi,

Each of the updates referred to in these requests was included in this
morning's 11.6 point release.

Regards,

Adam

--- End Message ---

Reply to: