mesa: Changes to 'debian-experimental'
configure.ac | 56 +++++++++++++--------------
debian/changelog | 6 ++
src/mesa/drivers/dri/i965/brw_fs.cpp | 15 ++++++-
src/mesa/drivers/dri/i965/brw_fs.h | 1
src/mesa/drivers/dri/i965/brw_fs_visitor.cpp | 3 +
5 files changed, 52 insertions(+), 29 deletions(-)
New commits:
commit cd99e8319daaef7e7a53c3372d1fbfaa1a1ef50c
Author: Andreas Boll <andreas.boll.dev@gmail.com>
Date: Thu Jun 6 09:37:21 2013 +0200
debian/changelog: Add changelog entry
diff --git a/debian/changelog b/debian/changelog
index 9b0665a..140a6fb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,7 @@ mesa (9.1.3-3) UNRELEASED; urgency=low
- configure.ac: Remove redundant checks of enable_dri.
- configure.ac: Build dricommon for DRI gallium drivers
- configure.ac: Build dricommon for gallium swrast
+ * Memory corruption (OOB read/write) in i965 driver [CVE-2013-1872]
-- Andreas Boll <andreas.boll.dev@gmail.com> Tue, 04 Jun 2013 11:36:30 +0200
commit 5cd24813343b1c1cc9d44b4dfeadf12661414f5c
Author: Dave Airlie <airlied@gmail.com>
Date: Thu May 30 20:21:56 2013 +1000
i965: fix problem with constant out of bounds access (v3)
Okay I now understand why Frank would want to run away, this is
my attempt at fixing the CVE out of bounds access to constants
outside the range. This attempt converts any illegal constants
to constant 0 as per the GL spec, and is undefined behaviour.
A future patch should add some debug for users to find this out,
but this needs to be backported to stable branches.
CVE-2013-1872
v2: drop the last hunk which was a separate fix (now in master).
hopefully fix the indentations.
v3: don't fail piglit, the whole 8/16 dispatch stuff was over
my head, and I spent a while figuring it out, but this one is
definitely safe, one piglit pass extra on my Ironlake.
NOTE: This is a candidate for stable branches.
Signed-off-by: Dave Airlie <airlied@redhat.com>
(cherry picked from commit 0677ea063cd96adefe87c1fb01ef7c66d905535b)
diff --git a/src/mesa/drivers/dri/i965/brw_fs.cpp b/src/mesa/drivers/dri/i965/brw_fs.cpp
index 3c3b3a1..da93048 100644
--- a/src/mesa/drivers/dri/i965/brw_fs.cpp
+++ b/src/mesa/drivers/dri/i965/brw_fs.cpp
@@ -829,6 +829,7 @@ fs_visitor::import_uniforms(fs_visitor *v)
import_uniforms_callback,
variable_ht);
this->params_remap = v->params_remap;
+ this->nr_params_remap = v->nr_params_remap;
}
/* Our support for uniforms is piggy-backed on the struct
@@ -1501,6 +1502,7 @@ fs_visitor::remove_dead_constants()
{
if (dispatch_width == 8) {
this->params_remap = ralloc_array(mem_ctx, int, c->prog_data.nr_params);
+ this->nr_params_remap = c->prog_data.nr_params;
for (unsigned int i = 0; i < c->prog_data.nr_params; i++)
this->params_remap[i] = -1;
@@ -1515,7 +1517,14 @@ fs_visitor::remove_dead_constants()
if (inst->src[i].file != UNIFORM)
continue;
- assert(constant_nr < (int)c->prog_data.nr_params);
+ /* Section 5.11 of the OpenGL 4.3 spec says:
+ *
+ * "Out-of-bounds reads return undefined values, which include
+ * values from other variables of the active program or zero."
+ */
+ if (constant_nr < 0 || constant_nr >= (int)c->prog_data.nr_params) {
+ constant_nr = 0;
+ }
/* For now, set this to non-negative. We'll give it the
* actual new number in a moment, in order to keep the
@@ -1563,6 +1572,10 @@ fs_visitor::remove_dead_constants()
if (inst->src[i].file != UNIFORM)
continue;
+ /* as above alias to 0 */
+ if (constant_nr < 0 || constant_nr >= (int)this->nr_params_remap) {
+ constant_nr = 0;
+ }
assert(this->params_remap[constant_nr] != -1);
inst->src[i].reg = this->params_remap[constant_nr];
inst->src[i].reg_offset = 0;
diff --git a/src/mesa/drivers/dri/i965/brw_fs.h b/src/mesa/drivers/dri/i965/brw_fs.h
index c776c77..411144f 100644
--- a/src/mesa/drivers/dri/i965/brw_fs.h
+++ b/src/mesa/drivers/dri/i965/brw_fs.h
@@ -440,6 +440,7 @@ public:
* uniform index.
*/
int *params_remap;
+ int nr_params_remap;
struct hash_table *variable_ht;
fs_reg frag_depth;
diff --git a/src/mesa/drivers/dri/i965/brw_fs_visitor.cpp b/src/mesa/drivers/dri/i965/brw_fs_visitor.cpp
index 9a82647..40d39df 100644
--- a/src/mesa/drivers/dri/i965/brw_fs_visitor.cpp
+++ b/src/mesa/drivers/dri/i965/brw_fs_visitor.cpp
@@ -2319,6 +2319,7 @@ fs_visitor::fs_visitor(struct brw_context *brw,
this->live_intervals_valid = false;
this->params_remap = NULL;
+ this->nr_params_remap = 0;
this->force_uncompressed_stack = 0;
this->force_sechalf_stack = 0;
commit 0be9a004177870548c6388064df7d8fab5e6e31f
Author: Frank Henigman <fjhenigman@google.com>
Date: Mon Jan 28 20:06:59 2013 -0500
intel: initialize fs_visitor::params_remap in constructor
Set fs_visitor::params_remap to NULL in the constructor.
This variable was potentially tested in fs_visitor::remove_dead_constants()
before being set.
NOTE: This is a candidate for stable release branches.
Signed-off-by: Frank Henigman <fjhenigman@google.com>
Reviewed-by: Ian Romanick <ian.d.romanick@intel.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
(cherry picked from commit 02fe736cc0e6866daa50aaae1ed7b977522eaf65)
diff --git a/src/mesa/drivers/dri/i965/brw_fs_visitor.cpp b/src/mesa/drivers/dri/i965/brw_fs_visitor.cpp
index 007c8ef..9a82647 100644
--- a/src/mesa/drivers/dri/i965/brw_fs_visitor.cpp
+++ b/src/mesa/drivers/dri/i965/brw_fs_visitor.cpp
@@ -2318,6 +2318,8 @@ fs_visitor::fs_visitor(struct brw_context *brw,
this->virtual_grf_use = NULL;
this->live_intervals_valid = false;
+ this->params_remap = NULL;
+
this->force_uncompressed_stack = 0;
this->force_sechalf_stack = 0;
commit 30644d32b76f575f6c00145c20f08824c7e6071a
Author: Andreas Boll <andreas.boll.dev@gmail.com>
Date: Thu Jun 6 09:26:18 2013 +0200
debian/changelog: Add changelog entry
diff --git a/debian/changelog b/debian/changelog
index 95457ba..9b0665a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,11 @@ mesa (9.1.3-3) UNRELEASED; urgency=low
Fixes build on hurd.
* debian: Fix build regression on !hurd.
Fix it with libgl1-mesa-dri.install.hurd.in, where we don't install drirc.
+ * Cherry-pick commit 7de78ce5, 07f2dee and 9622049 from upstream
+ (Fixes FTBFS on kfreebsd-*)
+ - configure.ac: Remove redundant checks of enable_dri.
+ - configure.ac: Build dricommon for DRI gallium drivers
+ - configure.ac: Build dricommon for gallium swrast
-- Andreas Boll <andreas.boll.dev@gmail.com> Tue, 04 Jun 2013 11:36:30 +0200
commit 5f7dc5f3b38288d98f0c4e4a65190c2a6beb5f7f
Author: Mike Stroyan <mike@LunarG.com>
Date: Mon Mar 18 13:34:35 2013 -0600
configure.ac: Build dricommon for gallium swrast
When building dri-swrast, use gallium_check_st to set HAVE_COMMON_DRI.
Commit 07f2dee7 added setting of HAVE_COMMON_DRI in gallium_check_st.
But the dri-swrast case did not use gallium_check_st.
So dri/common was still not built.
v2: set HAVE_COMMON_DRI=yes instead of using gallium_check_st
NOTE: This is a candidate for the 9.1 branch.
(Depends on 7de78ce5 and 07f2dee)
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=61821
Signed-off-by: Andreas Boll <andreas.boll.dev@gmail.com>
(cherry picked from commit 962204961def009610e60b23d40a22f064214dc7)
diff --git a/configure.ac b/configure.ac
index 9ee8b10..fa55ea8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1868,6 +1868,7 @@ if test "x$with_gallium_drivers" != x; then
if test "x$HAVE_ST_DRI" = xyes; then
GALLIUM_TARGET_DIRS="$GALLIUM_TARGET_DIRS dri-swrast"
+ HAVE_COMMON_DRI=yes
fi
if test "x$HAVE_ST_VDPAU" = xyes; then
GALLIUM_TARGET_DIRS="$GALLIUM_TARGET_DIRS vdpau-softpipe"
commit 3afbd14a349e6f06c901b80f7353d8f32d82fea9
Author: Matt Turner <mattst88@gmail.com>
Date: Tue Mar 5 10:25:55 2013 -0800
configure.ac: Build dricommon for DRI gallium drivers
Commit 67ef7559 added an || test "x$enable_dri" check in an attempt to
get the DRI common bits built in some necessary cases. That change was
inappropriate as it made these common DRI pieces be built
unconditionally, so some builds were broken.
Subsequently, commit 998d975e3 change the "|| test" to a "-a"
conjunction within the existing test invocation. This made the '-a
"x$enable_dri" = xyes' clause have no effect, (as it was inside an
enclosing test for the same condition). So the new breakage from
commit 67ef7559 was addressed, but the original problems were
regressed.
The immediately preceding commit removed the redundant condition.
Now, finally this commit fixes the original problem as described in
the commit message of 67ef7559: this code should be compiled when
using the DRI state tracker. In order to do so, the HAVE_*_DRI
conditionals must be moved after the last assignment of HAVE_COMMON_DRI.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=61821
Tested-by: Stéphane Marchesin <marcheu@chromium.org>
(cherry picked from commit 07f2dee7319b084e00288d74b29b07b62d888948)
diff --git a/configure.ac b/configure.ac
index 2df91b2..9ee8b10 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1075,7 +1075,7 @@ if test "x$enable_dri" = xyes; then
[AC_MSG_ERROR([Expat required for DRI.])])
LIBS="$save_LIBS"
- # if we are building any dri driver other than swrast or using the dri state tracker ...
+ # If we are building any DRI driver other than swrast.
if test -n "$DRI_DIRS" -a x"$DRI_DIRS" != xswrast; then
# ... libdrm is required
if test "x$have_libdrm" != xyes; then
@@ -1144,14 +1144,6 @@ case $DRI_DIRS in
;;
esac
-AM_CONDITIONAL(HAVE_I915_DRI, test x$HAVE_I915_DRI = xyes)
-AM_CONDITIONAL(HAVE_I965_DRI, test x$HAVE_I965_DRI = xyes)
-AM_CONDITIONAL(HAVE_NOUVEAU_DRI, test x$HAVE_NOUVEAU_DRI = xyes)
-AM_CONDITIONAL(HAVE_R200_DRI, test x$HAVE_R200_DRI = xyes)
-AM_CONDITIONAL(HAVE_RADEON_DRI, test x$HAVE_RADEON_DRI = xyes)
-AM_CONDITIONAL(HAVE_SWRAST_DRI, test x$HAVE_SWRAST_DRI = xyes)
-AM_CONDITIONAL(HAVE_COMMON_DRI, test x$HAVE_COMMON_DRI = xyes)
-
dnl
dnl OSMesa configuration
dnl
@@ -1750,6 +1742,7 @@ gallium_check_st() {
fi
if test "x$HAVE_ST_DRI" = xyes && test "x$2" != x; then
GALLIUM_TARGET_DIRS="$GALLIUM_TARGET_DIRS $2"
+ HAVE_COMMON_DRI=yes
fi
if test "x$HAVE_ST_XORG" = xyes && test "x$3" != x; then
GALLIUM_TARGET_DIRS="$GALLIUM_TARGET_DIRS $3"
@@ -1991,6 +1984,14 @@ for driver in $GALLIUM_DRIVERS_DIRS; do
esac
done
+AM_CONDITIONAL(HAVE_I915_DRI, test x$HAVE_I915_DRI = xyes)
+AM_CONDITIONAL(HAVE_I965_DRI, test x$HAVE_I965_DRI = xyes)
+AM_CONDITIONAL(HAVE_NOUVEAU_DRI, test x$HAVE_NOUVEAU_DRI = xyes)
+AM_CONDITIONAL(HAVE_R200_DRI, test x$HAVE_R200_DRI = xyes)
+AM_CONDITIONAL(HAVE_RADEON_DRI, test x$HAVE_RADEON_DRI = xyes)
+AM_CONDITIONAL(HAVE_SWRAST_DRI, test x$HAVE_SWRAST_DRI = xyes)
+AM_CONDITIONAL(HAVE_COMMON_DRI, test x$HAVE_COMMON_DRI = xyes)
+
AM_CONDITIONAL(HAVE_GALAHAD_GALLIUM, test x$HAVE_GALAHAD_GALLIUM = xyes)
AM_CONDITIONAL(HAVE_IDENTITY_GALLIUM, test x$HAVE_IDENTITY_GALLIUM = xyes)
AM_CONDITIONAL(HAVE_NOOP_GALLIUM, test x$HAVE_NOOP_GALLIUM = xyes)
commit 92c864020a7d9aa56ef3f36b129b4d65f6381f6b
Author: Matt Turner <mattst88@gmail.com>
Date: Tue Mar 5 10:27:22 2013 -0800
configure.ac: Remove redundant checks of enable_dri.
The whole block is enclosed inside if test "x$enable_dri" = xyes.
(cherry picked from commit 7de78ce5e5f5dc635846a3d935aaf2f4407e2dfa)
diff --git a/configure.ac b/configure.ac
index 5da5220..2df91b2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1059,26 +1059,24 @@ if test "x$enable_dri" = xyes; then
DRI_DIRS=`echo "$DRI_DIRS" | $SED 's/ */ /g'`
# Check for expat
- if test "x$enable_dri" = xyes; then
- EXPAT_INCLUDES=""
- EXPAT_LIB=-lexpat
- AC_ARG_WITH([expat],
- [AS_HELP_STRING([--with-expat=DIR],
- [expat install directory])],[
- EXPAT_INCLUDES="-I$withval/include"
- CPPFLAGS="$CPPFLAGS $EXPAT_INCLUDES"
- LDFLAGS="$LDFLAGS -L$withval/$LIB_DIR"
- EXPAT_LIB="-L$withval/$LIB_DIR -lexpat"
- ])
- AC_CHECK_HEADER([expat.h],[],[AC_MSG_ERROR([Expat required for DRI.])])
- save_LIBS="$LIBS"
- AC_CHECK_LIB([expat],[XML_ParserCreate],[],
- [AC_MSG_ERROR([Expat required for DRI.])])
- LIBS="$save_LIBS"
- fi
+ EXPAT_INCLUDES=""
+ EXPAT_LIB=-lexpat
+ AC_ARG_WITH([expat],
+ [AS_HELP_STRING([--with-expat=DIR],
+ [expat install directory])],[
+ EXPAT_INCLUDES="-I$withval/include"
+ CPPFLAGS="$CPPFLAGS $EXPAT_INCLUDES"
+ LDFLAGS="$LDFLAGS -L$withval/$LIB_DIR"
+ EXPAT_LIB="-L$withval/$LIB_DIR -lexpat"
+ ])
+ AC_CHECK_HEADER([expat.h],[],[AC_MSG_ERROR([Expat required for DRI.])])
+ save_LIBS="$LIBS"
+ AC_CHECK_LIB([expat],[XML_ParserCreate],[],
+ [AC_MSG_ERROR([Expat required for DRI.])])
+ LIBS="$save_LIBS"
# if we are building any dri driver other than swrast or using the dri state tracker ...
- if test -n "$DRI_DIRS" -a x"$DRI_DIRS" != xswrast -a "x$enable_dri" = xyes; then
+ if test -n "$DRI_DIRS" -a x"$DRI_DIRS" != xswrast; then
# ... libdrm is required
if test "x$have_libdrm" != xyes; then
AC_MSG_ERROR([DRI drivers requires libdrm >= $LIBDRM_REQUIRED])
Reply to: