tests: Add test to check heap overflow with atomic buffer object

Related #160

Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
Reviewed-by: Lepton Wu <lepton@chromium.org>
macos/master
Gert Wollny 5 years ago
parent 32c50df297
commit 4df12ad51f
  1. 249
      tests/test_fuzzer_formats.c

@ -711,6 +711,253 @@ static void test_cs_nullpointer_deference()
virgl_renderer_submit_cmd((void *) cmd, ctx_id, 9); virgl_renderer_submit_cmd((void *) cmd, ctx_id, 9);
} }
static void test_vrend_set_signle_abo_heap_overflow() {
struct virgl_renderer_resource_create_args args;
args.handle = 0x4c474572;
args.target = 0;
args.format = 0x43;
args.bind = 0x80000;
args.width = 0x5f5f616d;
args.height = 0x69667562;
args.depth = 0x726f706d;
args.array_size = 0xbbbbbb74;
args.last_level = 0xbbbbbbbb;
args.nr_samples = 0xbbbbbbbb;
args.flags = 0xff;
virgl_renderer_resource_create(&args, NULL, 0);
virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
uint32_t cmd[0xde];
int i = 0;
cmd[i++] = 0x000e1919;
cmd[i++] = 0x00003f00;
cmd[i++] = 0xc7cf3000;
cmd[i++] = 0x00083907;
cmd[i++] = 0x6e73735f;
cmd[i++] = 0x32323232;
cmd[i++] = 0x19312161;
cmd[i++] = 0x19191919;
cmd[i++] = 0x19191919;
cmd[i++] = 0x19191919;
cmd[i++] = 0xffbe1959;
cmd[i++] = 0xbbbbbbff;
cmd[i++] = 0xbbbbbb29;
cmd[i++] = 0xbbbbbbbb;
cmd[i++] = 0x000000ff;
cmd[i++] = 0x000e1928;
cmd[i++] = 0x00000000;
cmd[i++] = 0x4111d000;
cmd[i++] = 0xfe010000;
cmd[i++] = 0x00000172;
cmd[i++] = 0x32323200;
cmd[i++] = 0xe6cedea2;
cmd[i++] = 0xe6e6e6e6;
cmd[i++] = 0x19191919;
cmd[i++] = 0x19191919;
cmd[i++] = 0xffbe1959;
cmd[i++] = 0xbbbbbbff;
cmd[i++] = 0xbbbbbbbb;
cmd[i++] = 0xbbbbbbbb;
cmd[i++] = 0x000000ff;
cmd[i++] = 0x000e1919;
cmd[i++] = 0x00000000;
cmd[i++] = 0xc7cfa400;
cmd[i++] = 0x00083907;
cmd[i++] = 0x6e73735f;
cmd[i++] = 0x32323232;
cmd[i++] = 0x19312161;
cmd[i++] = 0x19191919;
cmd[i++] = 0x19191919;
cmd[i++] = 0x19191919;
cmd[i++] = 0x00000159;
cmd[i++] = 0xbbbbbb00;
cmd[i++] = 0xbbbbbbbb;
cmd[i++] = 0xbbbbbbbb;
cmd[i++] = 0x000000ff;
cmd[i++] = 0x006e1928;
cmd[i++] = 0x00000000;
cmd[i++] = 0xbeee3000;
cmd[i++] = 0xe6e6ffff;
cmd[i++] = 0x19e6e6e6;
cmd[i++] = 0x19191919;
cmd[i++] = 0x59191919;
cmd[i++] = 0xffffbe19;
cmd[i++] = 0xbbbbbbbb;
cmd[i++] = 0xbbbbbbbb;
cmd[i++] = 0xffbbbbbb;
cmd[i++] = 0x19000000;
cmd[i++] = 0x00000e19;
cmd[i++] = 0x00000000;
cmd[i++] = 0x07c7cfa4;
cmd[i++] = 0x5f000839;
cmd[i++] = 0x326e7373;
cmd[i++] = 0x00390732;
cmd[i++] = 0x00000000;
cmd[i++] = 0x4111d000;
cmd[i++] = 0xfe010000;
cmd[i++] = 0x00000172;
cmd[i++] = 0x32323200;
cmd[i++] = 0xe6cedea2;
cmd[i++] = 0xe6e6e6e6;
cmd[i++] = 0x19191919;
cmd[i++] = 0x19191919;
cmd[i++] = 0xffbe1959;
cmd[i++] = 0xbbbbbbff;
cmd[i++] = 0xbbbbbbbb;
cmd[i++] = 0xbbbbbbbb;
cmd[i++] = 0x000000ff;
cmd[i++] = 0x000e1919;
cmd[i++] = 0x00000000;
cmd[i++] = 0xc7cfa400;
cmd[i++] = 0x00083907;
cmd[i++] = 0x6e73735f;
cmd[i++] = 0x32323232;
cmd[i++] = 0x19312161;
cmd[i++] = 0x19191919;
cmd[i++] = 0x19191919;
cmd[i++] = 0x19191919;
cmd[i++] = 0x00000159;
cmd[i++] = 0xbbbbbb00;
cmd[i++] = 0xbbbbbbbb;
cmd[i++] = 0xbbbbbbbb;
cmd[i++] = 0x000000ff;
cmd[i++] = 0x002e1928;
cmd[i++] = 0x00000000;
cmd[i++] = 0xbeee3000;
cmd[i++] = 0xe6e6ffff;
cmd[i++] = 0x19e6e6e6;
cmd[i++] = 0x19191919;
cmd[i++] = 0x59191919;
cmd[i++] = 0xffffbe19;
cmd[i++] = 0xbbbbbbbb;
cmd[i++] = 0xbbbbbbbb;
cmd[i++] = 0xffbbbbbb;
cmd[i++] = 0x19000000;
cmd[i++] = 0x00000a19;
cmd[i++] = 0x00000000;
cmd[i++] = 0x07c7cfa4;
cmd[i++] = 0x5f000839;
cmd[i++] = 0x326e7373;
cmd[i++] = 0x08390732;
cmd[i++] = 0x73735f00;
cmd[i++] = 0x3232326e;
cmd[i++] = 0x31216132;
cmd[i++] = 0x19191919;
cmd[i++] = 0x19191919;
cmd[i++] = 0x19191919;
cmd[i++] = 0x00015919;
cmd[i++] = 0xbbbb0000;
cmd[i++] = 0xbbbbbbbb;
cmd[i++] = 0x00bbbbbb;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0xbbbb0000;
cmd[i++] = 0x000000ff;
cmd[i++] = 0x002e1928;
cmd[i++] = 0x00000000;
cmd[i++] = 0x08ee3000;
cmd[i++] = 0x73735f00;
cmd[i++] = 0x3232326e;
cmd[i++] = 0x31216132;
cmd[i++] = 0x19191919;
cmd[i++] = 0x19191919;
cmd[i++] = 0x19191919;
cmd[i++] = 0x00015919;
cmd[i++] = 0xbbbb0000;
cmd[i++] = 0xbbbbbbbb;
cmd[i++] = 0x00bbbbbb;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0xbbbb0000;
cmd[i++] = 0x000000ff;
cmd[i++] = 0x002e1928;
cmd[i++] = 0x00000000;
cmd[i++] = 0xbeee3000;
cmd[i++] = 0xe6e6ffff;
cmd[i++] = 0x19e6e6e6;
cmd[i++] = 0x19191919;
cmd[i++] = 0x59191919;
cmd[i++] = 0xffffbe19;
cmd[i++] = 0xbbbbbbbb;
cmd[i++] = 0xbbbbbbbb;
cmd[i++] = 0xffbbbbbb;
cmd[i++] = 0x19000000;
cmd[i++] = 0x61323219;
cmd[i++] = 0x19193121;
cmd[i++] = 0x19191919;
cmd[i++] = 0x19191919;
cmd[i++] = 0xbbbbbb19;
cmd[i++] = 0xbbbbbbbb;
cmd[i++] = 0xffbbbbbb;
cmd[i++] = 0x28000000;
cmd[i++] = 0x00002e19;
cmd[i++] = 0x00000000;
cmd[i++] = 0xffbeee30;
cmd[i++] = 0x00cffeff;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00006161;
cmd[i++] = 0x315d3100;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0x00000000;
cmd[i++] = 0xbb000000;
cmd[i++] = 0xbbbbbbbb;
cmd[i++] = 0x000000ff;
cmd[i++] = 0x000e1919;
cmd[i++] = 0x00000000;
cmd[i++] = 0xc7cfa400;
cmd[i++] = 0x7865745f;
cmd[i++] = 0x00000000;
cmd[i++] = 0x65727574;
cmd[i++] = 0x0b87765f;
cmd[i++] = 0x40000137;
cmd[i++] = 0x00004000;
cmd[i++] = 0x00340034;
virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
}
int main() int main()
{ {
initialize_environment(); initialize_environment();
@ -731,6 +978,8 @@ int main()
test_heap_overflow_vrend_renderer_transfer_write_iov_compressed_tex(); test_heap_overflow_vrend_renderer_transfer_write_iov_compressed_tex();
test_cs_nullpointer_deference(); test_cs_nullpointer_deference();
test_vrend_set_signle_abo_heap_overflow();
virgl_renderer_context_destroy(ctx_id); virgl_renderer_context_destroy(ctx_id);
virgl_renderer_cleanup(&cookie); virgl_renderer_cleanup(&cookie);

Loading…
Cancel
Save