--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Gert Wollny <gewo@debian.org>
(CC'ing Gert Wollny <gewo@debian.org> as maintainer of virglrenderer so he is aware)
[ Reason ]
I'm currently preparing a security update for virglrenderer for LTS
and figured out that there is one of the fixed CVEs is not adressed in bullseye
yet.
The CVE fixed is CVE-2022-0135: (#1009073)
To have this CVE also fixed in bullseye, I'm asking for permission to upload a
targeted fix for the next stable point release.
The changes are on this branch:
https://salsa.debian.org/debian/virglrenderer/-/tree/debian/bullseye
namely adding this patch:
https://salsa.debian.org/debian/virglrenderer/-/blob/debian/bullseye/debian/patches/CVE-2022-0135.patch
[ Impact ]
The description of CVE-2022-0135 is:
An out-of-bounds write issue was found in the VirGL virtual OpenGL renderer
(virglrenderer). This flaw allows a malicious guest to create a specially
crafted virgil resource and then issue a VIRTGPU_EXECBUFFER ioctl, leading to a
denial of service or possible code execution.
[ Tests ]
Upstream provides a unit-text which covers this CVE.
[ Risks ]
The patch is taken from upstream:
https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
--
tobi
diff -Nru virglrenderer-0.8.2/debian/changelog virglrenderer-0.8.2/debian/changelog
--- virglrenderer-0.8.2/debian/changelog 2020-12-07 13:38:41.000000000 +0100
+++ virglrenderer-0.8.2/debian/changelog 2022-12-07 17:24:59.000000000 +0100
@@ -1,3 +1,10 @@
+virglrenderer (0.8.2-5+deb11u1) bullseye; urgency=medium
+
+ * Non-maintainer upload by the LTS Security Team.
+ * Cherry-pick upstream fix for CVE-2022-0135. (Closes: #1009073)
+
+ -- Tobias Frost <tobi@debian.org> Wed, 07 Dec 2022 17:24:59 +0100
+
virglrenderer (0.8.2-5) unstable; urgency=medium
[ Christian Ehrhardt ]
diff -Nru virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch
--- virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch 1970-01-01 01:00:00.000000000 +0100
+++ virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch 2022-12-07 17:24:59.000000000 +0100
@@ -0,0 +1,83 @@
+Description: CVE-2022-0135
+ An out-of-bounds write issue was found in the VirGL virtual OpenGL
+ renderer (virglrenderer). This flaw allows a malicious guest to create a
+ specially crafted virgil resource and then issue a VIRTGPU_EXECBUFFER ioctl,
+ leading to a denial of service or possible code execution.
+Origin: https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009073
+Last-Update: 2022-12-05 <YYYY-MM-DD, last update of the meta-information, optional>
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/vrend_renderer.c
++++ b/src/vrend_renderer.c
+@@ -7097,8 +7097,11 @@
+ info->box->height) * elsize;
+ if (res->target == GL_TEXTURE_3D ||
+ res->target == GL_TEXTURE_2D_ARRAY ||
++ res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY ||
+ res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
+ send_size *= info->box->depth;
++ else if (need_temp && info->box->depth != 1)
++ return EINVAL;
+
+ if (need_temp) {
+ data = malloc(send_size);
+--- a/tests/test_fuzzer_formats.c
++++ b/tests/test_fuzzer_formats.c
+@@ -958,6 +958,48 @@
+ virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
+ }
+
++/* Test adapted from yaojun8558363@gmail.com:
++ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250
++*/
++static void test_vrend_3d_resource_overflow() {
++
++ struct virgl_renderer_resource_create_args resource;
++ resource.handle = 0x4c474572;
++ resource.target = PIPE_TEXTURE_2D_ARRAY;
++ resource.format = VIRGL_FORMAT_Z24X8_UNORM;
++ resource.nr_samples = 2;
++ resource.last_level = 0;
++ resource.array_size = 3;
++ resource.bind = VIRGL_BIND_SAMPLER_VIEW;
++ resource.depth = 1;
++ resource.width = 8;
++ resource.height = 4;
++ resource.flags = 0;
++
++ virgl_renderer_resource_create(&resource, NULL, 0);
++ virgl_renderer_ctx_attach_resource(ctx_id, resource.handle);
++
++ uint32_t size = 0x400;
++ uint32_t cmd[size];
++ int i = 0;
++ cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE;
++ cmd[i++] = resource.handle;
++ cmd[i++] = 0; // level
++ cmd[i++] = 0; // usage
++ cmd[i++] = 0; // stride
++ cmd[i++] = 0; // layer_stride
++ cmd[i++] = 0; // x
++ cmd[i++] = 0; // y
++ cmd[i++] = 0; // z
++ cmd[i++] = 8; // w
++ cmd[i++] = 4; // h
++ cmd[i++] = 3; // d
++ memset(&cmd[i], 0, size - i);
++
++ virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
++}
++
++
+ int main()
+ {
+ initialize_environment();
+@@ -980,6 +1022,7 @@
+ test_cs_nullpointer_deference();
+ test_vrend_set_signle_abo_heap_overflow();
+
++ test_vrend_3d_resource_overflow();
+
+ virgl_renderer_context_destroy(ctx_id);
+ virgl_renderer_cleanup(&cookie);
diff -Nru virglrenderer-0.8.2/debian/patches/series virglrenderer-0.8.2/debian/patches/series
--- virglrenderer-0.8.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ virglrenderer-0.8.2/debian/patches/series 2022-12-07 17:24:59.000000000 +0100
@@ -0,0 +1 @@
+CVE-2022-0135.patch
--- End Message ---