mesa: Changes to 'debian-unstable'
0 files changed
New commits:
commit cbb2e666056321eeec9ab452f44fb1a5f2041f4c
Author: Julien Cristau <julien.cristau@logilab.fr>
Date: Wed Jun 5 16:02:00 2013 +0200
Upload to unstable
diff --git a/debian/changelog b/debian/changelog
index ed6f909..51f7451 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+mesa (8.0.5-7) sid; urgency=high
+
+ * Memory corruption (OOB read/write) in i965 driver [CVE-2013-1872]
+
+ -- Julien Cristau <jcristau@debian.org> Wed, 05 Jun 2013 16:00:42 +0200
+
mesa (8.0.5-6) sid; urgency=high
* integer overflows calculating memory needs for replies [CVE-2013-1993]
commit 2a1c64f4937e19d7eb471f0518d158dd34d3c8f6
Author: Dave Airlie <airlied@gmail.com>
Date: Thu May 30 20:21:56 2013 +1000
i965: fix problem with constant out of bounds access (v3)
Okay I now understand why Frank would want to run away, this is
my attempt at fixing the CVE out of bounds access to constants
outside the range. This attempt converts any illegal constants
to constant 0 as per the GL spec, and is undefined behaviour.
A future patch should add some debug for users to find this out,
but this needs to be backported to stable branches.
CVE-2013-1872
v2: drop the last hunk which was a separate fix (now in master).
hopefully fix the indentations.
v3: don't fail piglit, the whole 8/16 dispatch stuff was over
my head, and I spent a while figuring it out, but this one is
definitely safe, one piglit pass extra on my Ironlake.
NOTE: This is a candidate for stable branches.
Signed-off-by: Dave Airlie <airlied@redhat.com>
[jcristau: backport to 8.0: fs_visitor::fs_visitor is in brw_fs.h]
diff --git a/src/mesa/drivers/dri/i965/brw_fs.cpp b/src/mesa/drivers/dri/i965/brw_fs.cpp
index acb870c..6170d20 100644
--- a/src/mesa/drivers/dri/i965/brw_fs.cpp
+++ b/src/mesa/drivers/dri/i965/brw_fs.cpp
@@ -250,6 +250,7 @@ fs_visitor::import_uniforms(fs_visitor *v)
import_uniforms_callback,
variable_ht);
this->params_remap = v->params_remap;
+ this->nr_params_remap = v->nr_params_remap;
}
/* Our support for uniforms is piggy-backed on the struct
@@ -847,6 +848,7 @@ fs_visitor::remove_dead_constants()
{
if (c->dispatch_width == 8) {
this->params_remap = ralloc_array(mem_ctx, int, c->prog_data.nr_params);
+ this->nr_params_remap = c->prog_data.nr_params;
for (unsigned int i = 0; i < c->prog_data.nr_params; i++)
this->params_remap[i] = -1;
@@ -861,7 +863,14 @@ fs_visitor::remove_dead_constants()
if (inst->src[i].file != UNIFORM)
continue;
- assert(constant_nr < (int)c->prog_data.nr_params);
+ /* Section 5.11 of the OpenGL 4.3 spec says:
+ *
+ * "Out-of-bounds reads return undefined values, which include
+ * values from other variables of the active program or zero."
+ */
+ if (constant_nr < 0 || constant_nr >= (int)c->prog_data.nr_params) {
+ constant_nr = 0;
+ }
/* For now, set this to non-negative. We'll give it the
* actual new number in a moment, in order to keep the
@@ -913,6 +922,10 @@ fs_visitor::remove_dead_constants()
if (inst->src[i].file != UNIFORM)
continue;
+ /* as above alias to 0 */
+ if (constant_nr < 0 || constant_nr >= (int)this->nr_params_remap) {
+ constant_nr = 0;
+ }
assert(this->params_remap[constant_nr] != -1);
inst->src[i].reg = this->params_remap[constant_nr];
inst->src[i].reg_offset = 0;
diff --git a/src/mesa/drivers/dri/i965/brw_fs.h b/src/mesa/drivers/dri/i965/brw_fs.h
index 798afa1..7c1ccf3 100644
--- a/src/mesa/drivers/dri/i965/brw_fs.h
+++ b/src/mesa/drivers/dri/i965/brw_fs.h
@@ -425,6 +425,7 @@ public:
this->live_intervals_valid = false;
this->params_remap = NULL;
+ this->nr_params_remap = 0;
this->kill_emitted = false;
this->force_uncompressed_stack = 0;
@@ -617,6 +618,7 @@ public:
* uniform index.
*/
int *params_remap;
+ int nr_params_remap;
struct hash_table *variable_ht;
ir_variable *frag_depth;
commit 46240e39c949f1c28cc5bb71ad90fdc69bf30b0c
Author: Frank Henigman <fjhenigman@google.com>
Date: Mon Jan 28 20:06:59 2013 -0500
intel: initialize fs_visitor::params_remap in constructor
Set fs_visitor::params_remap to NULL in the constructor.
This variable was potentially tested in fs_visitor::remove_dead_constants()
before being set.
NOTE: This is a candidate for stable release branches.
Signed-off-by: Frank Henigman <fjhenigman@google.com>
Reviewed-by: Ian Romanick <ian.d.romanick@intel.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
[jcristau: backport to 8.0 where fs_visitor::fs_visitor is in brw_fs.h]
diff --git a/src/mesa/drivers/dri/i965/brw_fs.h b/src/mesa/drivers/dri/i965/brw_fs.h
index f557138..798afa1 100644
--- a/src/mesa/drivers/dri/i965/brw_fs.h
+++ b/src/mesa/drivers/dri/i965/brw_fs.h
@@ -424,6 +424,8 @@ public:
this->virtual_grf_use = NULL;
this->live_intervals_valid = false;
+ this->params_remap = NULL;
+
this->kill_emitted = false;
this->force_uncompressed_stack = 0;
this->force_sechalf_stack = 0;
commit efb55da89fe36fda5e507fbfd9a53442bfaa00b1
Author: Julien Cristau <jcristau@debian.org>
Date: Thu May 23 10:50:28 2013 +0200
Upload to sid
diff --git a/debian/changelog b/debian/changelog
index 8b9461c..ed6f909 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+mesa (8.0.5-6) sid; urgency=high
+
+ * integer overflows calculating memory needs for replies [CVE-2013-1993]
+
+ -- Julien Cristau <jcristau@debian.org> Thu, 23 May 2013 10:50:24 +0200
+
mesa (8.0.5-5) sid; urgency=low
* Reupload with no source changes to restore multiarch installability
commit fa3c521d66ec1b767f231b79fbd5dd9f13a244cf
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Apr 26 16:33:03 2013 -0700
integer overflow in XF86DRIGetClientDriverName() [CVE-2013-1993 2/2]
clientDriverNameLength is a CARD32 and needs to be bounds checked before
adding one to it to come up with the total size to allocate, to avoid
integer overflow leading to underallocation and writing data from the
network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c
index 24facfe..a6d3a40 100644
--- a/src/glx/XF86dri.c
+++ b/src/glx/XF86dri.c
@@ -305,9 +305,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen,
*ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
if (rep.length) {
- if (!
- (*clientDriverName =
- (char *) Xcalloc(rep.clientDriverNameLength + 1, 1))) {
+ if (rep.clientDriverNameLength < INT_MAX)
+ *clientDriverName = Xcalloc(rep.clientDriverNameLength + 1, 1);
+ else
+ *clientDriverName = NULL;
+ if (*clientDriverName == NULL) {
_XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
UnlockDisplay(dpy);
SyncHandle();
commit 7eae38c8c7f3a0ef10acecfac8c2a4d9e57b3577
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Apr 26 16:31:58 2013 -0700
integer overflow in XF86DRIOpenConnection() [CVE-2013-1993 1/2]
busIdStringLength is a CARD32 and needs to be bounds checked before adding
one to it to come up with the total size to allocate, to avoid integer
overflow leading to underallocation and writing data from the network past
the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c
index 5c181d6..24facfe 100644
--- a/src/glx/XF86dri.c
+++ b/src/glx/XF86dri.c
@@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
#include "xf86dristr.h"
+#include <limits.h>
static XExtensionInfo _xf86dri_info_data;
static XExtensionInfo *xf86dri_info = &_xf86dri_info_data;
@@ -201,7 +202,11 @@ XF86DRIOpenConnection(Display * dpy, int screen, drm_handle_t * hSAREA,
}
if (rep.length) {
- if (!(*busIdString = (char *) Xcalloc(rep.busIdStringLength + 1, 1))) {
+ if (rep.busIdStringLength < INT_MAX)
+ *busIdString = Xcalloc(rep.busIdStringLength + 1, 1);
+ else
+ *busIdString = NULL;
+ if (*busIdString == NULL) {
_XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
UnlockDisplay(dpy);
SyncHandle();
commit 6c1134b4019a9e0e6c1c15a7b0d04876bf16d9a4
Author: Julien Cristau <jcristau@debian.org>
Date: Fri May 17 10:10:17 2013 +0200
Upload to unstable
diff --git a/debian/changelog b/debian/changelog
index 2bff87c..8b9461c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+mesa (8.0.5-5) sid; urgency=low
+
+ * Reupload with no source changes to restore multiarch installability
+ (closes: #708029, #708055)
+
+ -- Julien Cristau <jcristau@debian.org> Fri, 17 May 2013 10:10:05 +0200
+
mesa (8.0.5-4) unstable; urgency=low
* Cherry-pick commit 17f1cb1d99 (dri/nouveau: fix crash in
Reply to: