mesa: Changes to 'debian-unstable'
debian/changelog | 6 ++++++
src/mesa/drivers/dri/i965/brw_fs.cpp | 15 ++++++++++++++-
src/mesa/drivers/dri/i965/brw_fs.h | 4 ++++
3 files changed, 24 insertions(+), 1 deletion(-)
New commits:
commit cbb2e666056321eeec9ab452f44fb1a5f2041f4c
Author: Julien Cristau <julien.cristau@logilab.fr>
Date: Wed Jun 5 16:02:00 2013 +0200
Upload to unstable
diff --git a/debian/changelog b/debian/changelog
index ed6f909..51f7451 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+mesa (8.0.5-7) sid; urgency=high
+
+ * Memory corruption (OOB read/write) in i965 driver [CVE-2013-1872]
+
+ -- Julien Cristau <jcristau@debian.org> Wed, 05 Jun 2013 16:00:42 +0200
+
mesa (8.0.5-6) sid; urgency=high
* integer overflows calculating memory needs for replies [CVE-2013-1993]
commit 2a1c64f4937e19d7eb471f0518d158dd34d3c8f6
Author: Dave Airlie <airlied@gmail.com>
Date: Thu May 30 20:21:56 2013 +1000
i965: fix problem with constant out of bounds access (v3)
Okay I now understand why Frank would want to run away, this is
my attempt at fixing the CVE out of bounds access to constants
outside the range. This attempt converts any illegal constants
to constant 0 as per the GL spec, and is undefined behaviour.
A future patch should add some debug for users to find this out,
but this needs to be backported to stable branches.
CVE-2013-1872
v2: drop the last hunk which was a separate fix (now in master).
hopefully fix the indentations.
v3: don't fail piglit, the whole 8/16 dispatch stuff was over
my head, and I spent a while figuring it out, but this one is
definitely safe, one piglit pass extra on my Ironlake.
NOTE: This is a candidate for stable branches.
Signed-off-by: Dave Airlie <airlied@redhat.com>
[jcristau: backport to 8.0: fs_visitor::fs_visitor is in brw_fs.h]
diff --git a/src/mesa/drivers/dri/i965/brw_fs.cpp b/src/mesa/drivers/dri/i965/brw_fs.cpp
index acb870c..6170d20 100644
--- a/src/mesa/drivers/dri/i965/brw_fs.cpp
+++ b/src/mesa/drivers/dri/i965/brw_fs.cpp
@@ -250,6 +250,7 @@ fs_visitor::import_uniforms(fs_visitor *v)
import_uniforms_callback,
variable_ht);
this->params_remap = v->params_remap;
+ this->nr_params_remap = v->nr_params_remap;
}
/* Our support for uniforms is piggy-backed on the struct
@@ -847,6 +848,7 @@ fs_visitor::remove_dead_constants()
{
if (c->dispatch_width == 8) {
this->params_remap = ralloc_array(mem_ctx, int, c->prog_data.nr_params);
+ this->nr_params_remap = c->prog_data.nr_params;
for (unsigned int i = 0; i < c->prog_data.nr_params; i++)
this->params_remap[i] = -1;
@@ -861,7 +863,14 @@ fs_visitor::remove_dead_constants()
if (inst->src[i].file != UNIFORM)
continue;
- assert(constant_nr < (int)c->prog_data.nr_params);
+ /* Section 5.11 of the OpenGL 4.3 spec says:
+ *
+ * "Out-of-bounds reads return undefined values, which include
+ * values from other variables of the active program or zero."
+ */
+ if (constant_nr < 0 || constant_nr >= (int)c->prog_data.nr_params) {
+ constant_nr = 0;
+ }
/* For now, set this to non-negative. We'll give it the
* actual new number in a moment, in order to keep the
@@ -913,6 +922,10 @@ fs_visitor::remove_dead_constants()
if (inst->src[i].file != UNIFORM)
continue;
+ /* as above alias to 0 */
+ if (constant_nr < 0 || constant_nr >= (int)this->nr_params_remap) {
+ constant_nr = 0;
+ }
assert(this->params_remap[constant_nr] != -1);
inst->src[i].reg = this->params_remap[constant_nr];
inst->src[i].reg_offset = 0;
diff --git a/src/mesa/drivers/dri/i965/brw_fs.h b/src/mesa/drivers/dri/i965/brw_fs.h
index 798afa1..7c1ccf3 100644
--- a/src/mesa/drivers/dri/i965/brw_fs.h
+++ b/src/mesa/drivers/dri/i965/brw_fs.h
@@ -425,6 +425,7 @@ public:
this->live_intervals_valid = false;
this->params_remap = NULL;
+ this->nr_params_remap = 0;
this->kill_emitted = false;
this->force_uncompressed_stack = 0;
@@ -617,6 +618,7 @@ public:
* uniform index.
*/
int *params_remap;
+ int nr_params_remap;
struct hash_table *variable_ht;
ir_variable *frag_depth;
commit 46240e39c949f1c28cc5bb71ad90fdc69bf30b0c
Author: Frank Henigman <fjhenigman@google.com>
Date: Mon Jan 28 20:06:59 2013 -0500
intel: initialize fs_visitor::params_remap in constructor
Set fs_visitor::params_remap to NULL in the constructor.
This variable was potentially tested in fs_visitor::remove_dead_constants()
before being set.
NOTE: This is a candidate for stable release branches.
Signed-off-by: Frank Henigman <fjhenigman@google.com>
Reviewed-by: Ian Romanick <ian.d.romanick@intel.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
[jcristau: backport to 8.0 where fs_visitor::fs_visitor is in brw_fs.h]
diff --git a/src/mesa/drivers/dri/i965/brw_fs.h b/src/mesa/drivers/dri/i965/brw_fs.h
index f557138..798afa1 100644
--- a/src/mesa/drivers/dri/i965/brw_fs.h
+++ b/src/mesa/drivers/dri/i965/brw_fs.h
@@ -424,6 +424,8 @@ public:
this->virtual_grf_use = NULL;
this->live_intervals_valid = false;
+ this->params_remap = NULL;
+
this->kill_emitted = false;
this->force_uncompressed_stack = 0;
this->force_sechalf_stack = 0;
Reply to: