As the 'pkt_length' and 'offlen' can be malicious from guest,
the vrend_create_shader function has an integer overflow, this
will make the next 'memcpy' oob access. This patch avoid this.
Signed-off-by: Li Qiang <liq3ea@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
The 'num_elements' can be controlled by the guest but the
'vrend_vertex_element_array' has a fixed 'elements' field.
This can cause a heap overflow. Add sanity check of 'num_elements'.
Signed-off-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Just return if the resource has been attached a iov
to avoid memory leak.
Signed-off-by: Li Qiang <liq3ea@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
If the shader failed to be finished, it should be removed from the
hashtable if it was already inserted. Use the goto error path in this
case to handle shader destroy and prevent potential later lookup of
invalid shader from the hashtable.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
If we have a lot of draws we end up traversing the linked list
looking for the same shader on each draw call even if the
shader is the same one we used the last time.
This removes a chunk of CPU overhead in the draw path.
This seems to do better in xonotic traces, we at least don't
traverse as much of the list to pick up the shaders.
I think we should be using a hash table here really.
We are seeing shaders with 0 and 2 inputs, but no 1, so we need
to handle gaps properly.
This fixes some regressions in drawpixels after some mesa changes
on the guest.
It's unfortunate, but the i965 driver deliberately crash on such simple test
case. Fortunately, it seems fairly straightforward to avoid it in virgl.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
If the current context is one of the subcontext to be destroyed,
vrend_destroy_sub_context() will fail after the last context is
destroyed.
Found thanks to amaerican fuzzy lop.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Some american fuzzy lop tests managed to replace resources, however the
old values got leaked (I am not sure if this should be allowed)
In all cases, introduce a destroy callback to the hashtable, used when a
value is removed, replaced or the table is cleared. This simplifies a
bit resource management and help avoid potential errors by using simply
refcounts.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Resources are reference-counted, if another object holds a reference to
a resource, it should not free it. Change the resource hashtable destroy
callback to unref.
Currently, this doesn't happen, since the resource hashtable is kept
until the renderer is reset. However, in the next commit, the destroy
callback will be used if a resource is replaced in the hashtable, and we
want to keep the original resource. Furthermore, even if replace
shouldn't happen, it avoids confusion and future errors if use only
reference-counting mechanism.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Since the memcpy() is done over multiple of 4 bytes, over-allocate the
destination buffer to fit multiple of 4 shader length.
Fix found thanks to american fuzzy lop.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Or we could sit for a very long time in some further loops.
Fix found thanks to american fuzzy lop.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
If we didn't run succesfully vrend_destroy_shader_selector(),
sel->sinfo.so_names might be NULL.
Fix found thanks to american fuzzy lop.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
That way an value if (type > PIPE_SHADER_GEOMETRY) guard will actually
work for all values.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
That would later crash in util_format_description() or others
Fix found thanks to american fuzzy lop.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>