From 09b3d4733ae7df7d1d35b3aaf3f27cb7cbe2cc8b Mon Sep 17 00:00:00 2001
From: yezengruan <yezengruan@huawei.com>
Date: Sat, 27 Aug 2022 17:33:35 +0800
Subject: [PATCH] vrend: Add test to resource OOB write and fix it
 (CVE-2022-0135)

(cherry picked from commit 411b9d0dcfd16a5eeb76dc23a5af45a7b2abcbc0)
---
 ...est-to-resource-OOB-write-and-fix-it.patch | 95 +++++++++++++++++++
 virglrenderer.spec                            |  6 +-
 2 files changed, 100 insertions(+), 1 deletion(-)
 create mode 100644 0001-vrend-Add-test-to-resource-OOB-write-and-fix-it.patch

diff --git a/0001-vrend-Add-test-to-resource-OOB-write-and-fix-it.patch b/0001-vrend-Add-test-to-resource-OOB-write-and-fix-it.patch
new file mode 100644
index 0000000..55516e6
--- /dev/null
+++ b/0001-vrend-Add-test-to-resource-OOB-write-and-fix-it.patch
@@ -0,0 +1,95 @@
+From 95e581fd181b213c2ed7cdc63f2abc03eaaa77ec Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny@collabora.com>
+Date: Tue, 30 Nov 2021 10:17:26 +0100
+Subject: [PATCH] vrend: Add test to resource OOB write and fix it
+
+v2: Also check that no depth != 1 has been send when none is due
+
+Closes: #250
+Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
+Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
+---
+ src/vrend_renderer.c        |  3 +++
+ tests/test_fuzzer_formats.c | 43 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 46 insertions(+)
+
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
+index 28f6697..357b81b 100644
+--- a/src/vrend_renderer.c
++++ b/src/vrend_renderer.c
+@@ -7833,8 +7833,11 @@ static int vrend_renderer_transfer_write_iov(struct vrend_context *ctx,
+                                           info->box->height) * elsize;
+       if (res->target == GL_TEXTURE_3D ||
+           res->target == GL_TEXTURE_2D_ARRAY ||
++          res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY ||
+           res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
+           send_size *= info->box->depth;
++      else if (need_temp && info->box->depth != 1)
++         return EINVAL;
+ 
+       if (need_temp) {
+          data = malloc(send_size);
+diff --git a/tests/test_fuzzer_formats.c b/tests/test_fuzzer_formats.c
+index 59d6fb6..2de9a9a 100644
+--- a/tests/test_fuzzer_formats.c
++++ b/tests/test_fuzzer_formats.c
+@@ -957,6 +957,48 @@ static void test_vrend_set_signle_abo_heap_overflow() {
+     virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
+ }
+ 
++/* Test adapted from yaojun8558363@gmail.com:
++ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250
++*/
++static void test_vrend_3d_resource_overflow() {
++
++    struct virgl_renderer_resource_create_args resource;
++    resource.handle = 0x4c474572;
++    resource.target = PIPE_TEXTURE_2D_ARRAY;
++    resource.format = VIRGL_FORMAT_Z24X8_UNORM;
++    resource.nr_samples = 2;
++    resource.last_level = 0;
++    resource.array_size = 3;
++    resource.bind = VIRGL_BIND_SAMPLER_VIEW;
++    resource.depth = 1;
++    resource.width = 8;
++    resource.height = 4;
++    resource.flags = 0;
++
++    virgl_renderer_resource_create(&resource, NULL, 0);
++    virgl_renderer_ctx_attach_resource(ctx_id, resource.handle);
++
++    uint32_t size = 0x400;
++    uint32_t cmd[size];
++    int i = 0;
++    cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE;
++    cmd[i++] = resource.handle;
++    cmd[i++] = 0; // level
++    cmd[i++] = 0; // usage
++    cmd[i++] = 0; // stride
++    cmd[i++] = 0; // layer_stride
++    cmd[i++] = 0; // x
++    cmd[i++] = 0; // y
++    cmd[i++] = 0; // z
++    cmd[i++] = 8; // w
++    cmd[i++] = 4; // h
++    cmd[i++] = 3; // d
++    memset(&cmd[i], 0, size - i);
++
++    virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
++}
++
++
+ int main()
+ {
+    initialize_environment();
+@@ -979,6 +1021,7 @@ int main()
+    test_cs_nullpointer_deference();
+    test_vrend_set_signle_abo_heap_overflow();
+ 
++   test_vrend_3d_resource_overflow();
+ 
+    virgl_renderer_context_destroy(ctx_id);
+    virgl_renderer_cleanup(&cookie);
+-- 
+2.27.0
+
diff --git a/virglrenderer.spec b/virglrenderer.spec
index a46f79e..87af7d5 100644
--- a/virglrenderer.spec
+++ b/virglrenderer.spec
@@ -1,6 +1,6 @@
 Name:		virglrenderer
 Version:	0.8.2
-Release:	2
+Release:	3
 Summary:	VirGL virtual OpenGL renderer
 License:	MIT
 URL: https://virgil3d.github.io
@@ -8,6 +8,7 @@ URL: https://virgil3d.github.io
 Source0: https://gitlab.freedesktop.org/virgl/%{name}/-/archive/%{name}-%{version}/%{name}-%{name}-%{version}.tar.gz
 
 Patch00:        0000-vrend-clear-memory-when-allocating-a-host-backed-mem.patch
+Patch01:        0001-vrend-Add-test-to-resource-OOB-write-and-fix-it.patch
 
 BuildRequires:	meson
 BuildRequires:	python3
@@ -58,6 +59,9 @@ Requires: %{name}%{?_isa} = %{version}-%{release}
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+* Sat Aug 27 2022 yezengruan <yezengruan@huawei.com> - 0.8.2-3
+- vrend: Add test to resource OOB write and fix it (CVE-2022-0135)
+
 * Wed Jul 06 2022 yezengruan <yezengruan@huawei.com> - 0.8.2-2
 - vrend: clear memory when allocating a host-backed memory resource (CVE-2022-0175)
 
-- 
Gitee