Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: Gert Wollny <g...@debian.org>
(CC'ing Gert Wollny <g...@debian.org> as maintainer of virglrenderer so he is aware) [ Reason ] I'm currently preparing a security update for virglrenderer for LTS and figured out that there is one of the fixed CVEs is not adressed in bullseye yet. The CVE fixed is CVE-2022-0135: (#1009073) To have this CVE also fixed in bullseye, I'm asking for permission to upload a targeted fix for the next stable point release. The changes are on this branch: https://salsa.debian.org/debian/virglrenderer/-/tree/debian/bullseye namely adding this patch: https://salsa.debian.org/debian/virglrenderer/-/blob/debian/bullseye/debian/patches/CVE-2022-0135.patch [ Impact ] The description of CVE-2022-0135 is: An out-of-bounds write issue was found in the VirGL virtual OpenGL renderer (virglrenderer). This flaw allows a malicious guest to create a specially crafted virgil resource and then issue a VIRTGPU_EXECBUFFER ioctl, leading to a denial of service or possible code execution. [ Tests ] Upstream provides a unit-text which covers this CVE. [ Risks ] The patch is taken from upstream: https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable -- tobi
diff -Nru virglrenderer-0.8.2/debian/changelog virglrenderer-0.8.2/debian/changelog --- virglrenderer-0.8.2/debian/changelog 2020-12-07 13:38:41.000000000 +0100 +++ virglrenderer-0.8.2/debian/changelog 2022-12-07 17:24:59.000000000 +0100 @@ -1,3 +1,10 @@ +virglrenderer (0.8.2-5+deb11u1) bullseye; urgency=medium + + * Non-maintainer upload by the LTS Security Team. + * Cherry-pick upstream fix for CVE-2022-0135. (Closes: #1009073) + + -- Tobias Frost <t...@debian.org> Wed, 07 Dec 2022 17:24:59 +0100 + virglrenderer (0.8.2-5) unstable; urgency=medium [ Christian Ehrhardt ] diff -Nru virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch --- virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch 1970-01-01 01:00:00.000000000 +0100 +++ virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch 2022-12-07 17:24:59.000000000 +0100 @@ -0,0 +1,83 @@ +Description: CVE-2022-0135 + An out-of-bounds write issue was found in the VirGL virtual OpenGL + renderer (virglrenderer). This flaw allows a malicious guest to create a + specially crafted virgil resource and then issue a VIRTGPU_EXECBUFFER ioctl, + leading to a denial of service or possible code execution. +Origin: https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009073 +Last-Update: 2022-12-05 <YYYY-MM-DD, last update of the meta-information, optional> +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/vrend_renderer.c ++++ b/src/vrend_renderer.c +@@ -7097,8 +7097,11 @@ + info->box->height) * elsize; + if (res->target == GL_TEXTURE_3D || + res->target == GL_TEXTURE_2D_ARRAY || ++ res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY || + res->target == GL_TEXTURE_CUBE_MAP_ARRAY) + send_size *= info->box->depth; ++ else if (need_temp && info->box->depth != 1) ++ return EINVAL; + + if (need_temp) { + data = malloc(send_size); +--- a/tests/test_fuzzer_formats.c ++++ b/tests/test_fuzzer_formats.c +@@ -958,6 +958,48 @@ + virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde); + } + ++/* Test adapted from yaojun8558...@gmail.com: ++ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250 ++*/ ++static void test_vrend_3d_resource_overflow() { ++ ++ struct virgl_renderer_resource_create_args resource; ++ resource.handle = 0x4c474572; ++ resource.target = PIPE_TEXTURE_2D_ARRAY; ++ resource.format = VIRGL_FORMAT_Z24X8_UNORM; ++ resource.nr_samples = 2; ++ resource.last_level = 0; ++ resource.array_size = 3; ++ resource.bind = VIRGL_BIND_SAMPLER_VIEW; ++ resource.depth = 1; ++ resource.width = 8; ++ resource.height = 4; ++ resource.flags = 0; ++ ++ virgl_renderer_resource_create(&resource, NULL, 0); ++ virgl_renderer_ctx_attach_resource(ctx_id, resource.handle); ++ ++ uint32_t size = 0x400; ++ uint32_t cmd[size]; ++ int i = 0; ++ cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE; ++ cmd[i++] = resource.handle; ++ cmd[i++] = 0; // level ++ cmd[i++] = 0; // usage ++ cmd[i++] = 0; // stride ++ cmd[i++] = 0; // layer_stride ++ cmd[i++] = 0; // x ++ cmd[i++] = 0; // y ++ cmd[i++] = 0; // z ++ cmd[i++] = 8; // w ++ cmd[i++] = 4; // h ++ cmd[i++] = 3; // d ++ memset(&cmd[i], 0, size - i); ++ ++ virgl_renderer_submit_cmd((void *) cmd, ctx_id, size); ++} ++ ++ + int main() + { + initialize_environment(); +@@ -980,6 +1022,7 @@ + test_cs_nullpointer_deference(); + test_vrend_set_signle_abo_heap_overflow(); + ++ test_vrend_3d_resource_overflow(); + + virgl_renderer_context_destroy(ctx_id); + virgl_renderer_cleanup(&cookie); diff -Nru virglrenderer-0.8.2/debian/patches/series virglrenderer-0.8.2/debian/patches/series --- virglrenderer-0.8.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ virglrenderer-0.8.2/debian/patches/series 2022-12-07 17:24:59.000000000 +0100 @@ -0,0 +1 @@ +CVE-2022-0135.patch
