1 /**************************************************************************
2 *
3 * Copyright (C) 2019 Collabora Ltd
4 *
5 * Permission is hereby granted, free of charge, to any person obtaining a
6 * copy of this software and associated documentation files (the "Software"),
7 * to deal in the Software without restriction, including without limitation
8 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
9 * and/or sell copies of the Software, and to permit persons to whom the
10 * Software is furnished to do so, subject to the following conditions:
11 *
12 * The above copyright notice and this permission notice shall be included
13 * in all copies or substantial portions of the Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
18 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
19 * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
20 * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
21 * OTHER DEALINGS IN THE SOFTWARE.
22 *
23 **************************************************************************/
24
25 /*
26 This file contains tests that triggered bugs revealed by fuzzying
27 Thanks Matthew Shao for reporting these.
28 */
29
30 #include <stdint.h>
31 #include <stddef.h>
32 #include <sys/uio.h>
33 #include <assert.h>
34 #include <unistd.h>
35 #include <stdlib.h>
36 #include <string.h>
37
38 #include "virgl_hw.h"
39 #include "vrend_winsys_egl.h"
40 #include "virglrenderer.h"
41 #include "virgl_protocol.h"
42 #include <epoxy/egl.h>
43
44
45 struct fuzzer_cookie
46 {
47 int dummy;
48 };
49
50 static struct fuzzer_cookie cookie;
51 static const uint32_t ctx_id = 1;
52 static struct virgl_egl *test_egl;
53
fuzzer_write_fence(UNUSED void * opaque,UNUSED uint32_t fence)54 static void fuzzer_write_fence(UNUSED void *opaque, UNUSED uint32_t fence) {}
55
56 static virgl_renderer_gl_context
fuzzer_create_gl_context(UNUSED void * cookie,UNUSED int scanout_idx,struct virgl_renderer_gl_ctx_param * param)57 fuzzer_create_gl_context(UNUSED void *cookie, UNUSED int scanout_idx,
58 struct virgl_renderer_gl_ctx_param *param)
59 {
60 struct virgl_gl_ctx_param vparams;
61 vparams.shared = false;
62 vparams.major_ver = param->major_ver;
63 vparams.minor_ver = param->minor_ver;
64 return virgl_egl_create_context(test_egl, &vparams);
65 }
66
fuzzer_destory_gl_context(UNUSED void * cookie,virgl_renderer_gl_context ctx)67 static void fuzzer_destory_gl_context(UNUSED void *cookie, virgl_renderer_gl_context ctx)
68 {
69 virgl_egl_destroy_context(test_egl, ctx);
70 }
71
fuzzer_make_current(UNUSED void * cookie,UNUSED int scanout_idx,virgl_renderer_gl_context ctx)72 static int fuzzer_make_current(UNUSED void *cookie, UNUSED int scanout_idx,
73 virgl_renderer_gl_context ctx)
74 {
75 return virgl_egl_make_context_current(test_egl, ctx);
76 }
77
78
79 static struct virgl_renderer_callbacks fuzzer_cbs = {
80 .version = 1,
81 .write_fence = fuzzer_write_fence,
82 .create_gl_context = fuzzer_create_gl_context,
83 .destroy_gl_context = fuzzer_destory_gl_context,
84 .make_current = fuzzer_make_current,
85 };
86
initialize_environment()87 static void initialize_environment()
88 {
89 setenv("LIBGL_ALWAYS_SOFTWARE", "true", 0);
90 setenv("GALLIUM_DRIVER", "softpipe", 0);
91 test_egl = virgl_egl_init(NULL, true, true);
92 assert(test_egl);
93
94 virgl_renderer_init(&cookie, VIRGL_RENDERER_USE_GLES|
95 VIRGL_RENDERER_USE_SURFACELESS, &fuzzer_cbs);
96
97 const char *name = "fuzzctx";
98 virgl_renderer_context_create(ctx_id, (unsigned)strlen(name), name);
99 }
100
test_format_wrong_size()101 static void test_format_wrong_size()
102 {
103 struct virgl_renderer_resource_create_args args;
104 args.handle = 10;
105 args.target = 3;
106 args.format = 10;
107 args.bind = 10;
108 args.width = 2;
109 args.height = 0;
110 args.depth = 0;
111 args.array_size = 0;
112 args.last_level = 0;
113 args.nr_samples = 0;
114 args.flags = 0;
115
116 virgl_renderer_resource_create(&args, NULL, 0);
117 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
118
119 uint32_t cmd[VIRGL_CMD_BLIT_SIZE + 1];
120
121 int i = 0;
122 cmd[i++] = VIRGL_CMD_BLIT_SIZE << 16 | 0 << 8 | VIRGL_CCMD_BLIT;
123 cmd[i++] = 0x8000001; // s0
124 cmd[i++] = 0; // minxy
125 cmd[i++] = 0; // maxxy
126 cmd[i++] = 10; //dhandle
127 cmd[i++] = 0; // dlevel
128 cmd[i++] = 0x1000029; //dformat
129 cmd[i++] = 0; //dx
130 cmd[i++] = 0; // dy
131 cmd[i++] = 0; // dz
132 cmd[i++] = 0; //dw
133 cmd[i++] = 0; // dh
134 cmd[i++] = 0; // dd
135 cmd[i++] = 10; //shandle
136 cmd[i++] = 0; //slevel
137 cmd[i++] = 0; //sformat
138 cmd[i++] = 0; //sx
139 cmd[i++] = 0; // sy
140 cmd[i++] = 0; // sz
141 cmd[i++] = 0; // sw
142 cmd[i++] = 0; // sh
143 cmd[i++] = 0; // sd
144
145 virgl_renderer_submit_cmd((void *) cmd, ctx_id, VIRGL_CMD_BLIT_SIZE + 1);
146 }
147
test_format_fail_and_double_free()148 static void test_format_fail_and_double_free()
149 {
150 struct virgl_renderer_resource_create_args args;
151
152 args.handle = 1;
153 args.target = 3;
154 args.format = 191;
155 args.bind = 10;
156 args.width = 49;
157 args.height = 0;
158 args.depth = 0;
159 args.array_size = 0;
160 args.last_level = 0;
161 args.nr_samples = 0;
162 args.flags = 0;
163
164 virgl_renderer_resource_create(&args, NULL, 0);
165 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
166 }
167
168
169
170
171 /* Issue #141 */
test_blit_info_format_check()172 static void test_blit_info_format_check()
173 {
174 struct virgl_renderer_resource_create_args args;
175 args.handle = 10;
176 args.target = 3;
177 args.format = 10;
178 args.bind = 10;
179 args.width = 2;
180 args.height = 1;
181 args.depth = 1;
182 args.array_size = 0;
183 args.last_level = 0;
184 args.nr_samples = 0;
185 args.flags = 0;
186
187 virgl_renderer_resource_create(&args, NULL, 0);
188 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
189
190 uint32_t cmd[VIRGL_CMD_BLIT_SIZE + 1];
191
192 int i = 0;
193 cmd[i++] = VIRGL_CMD_BLIT_SIZE << 16 | 0 << 8 | VIRGL_CCMD_BLIT;
194 cmd[i++] = 0x8000001; // s0
195 cmd[i++] = 0; // minxy
196 cmd[i++] = 0; // maxxy
197 cmd[i++] = 10; //dhandle
198 cmd[i++] = 0; // dlevel
199 cmd[i++] = 0x1000029; //dformat
200 cmd[i++] = 0; //dx
201 cmd[i++] = 0; // dy
202 cmd[i++] = 0; // dz
203 cmd[i++] = 0; //dw
204 cmd[i++] = 0; // dh
205 cmd[i++] = 0; // dd
206 cmd[i++] = 10; //shandle
207 cmd[i++] = 0; //slevel
208 cmd[i++] = 10; //sformat
209 cmd[i++] = 0; //sx
210 cmd[i++] = 0; // sy
211 cmd[i++] = 0; // sz
212 cmd[i++] = 0; // sw
213 cmd[i++] = 0; // sh
214 cmd[i++] = 0; // sd
215
216 virgl_renderer_submit_cmd((void *) cmd, ctx_id, VIRGL_CMD_BLIT_SIZE + 1);
217 }
218
test_blit_info_format_check_null_format()219 static void test_blit_info_format_check_null_format()
220 {
221 struct virgl_renderer_resource_create_args args;
222 args.handle = 10;
223 args.target = 3;
224 args.format = 10;
225 args.bind = 10;
226 args.width = 2;
227 args.height = 1;
228 args.depth = 1;
229 args.array_size = 0;
230 args.last_level = 0;
231 args.nr_samples = 0;
232 args.flags = 0;
233
234 virgl_renderer_resource_create(&args, NULL, 0);
235 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
236
237 uint32_t cmd[VIRGL_CMD_BLIT_SIZE + 1];
238
239 int i = 0;
240 cmd[i++] = VIRGL_CMD_BLIT_SIZE << 16 | 0 << 8 | VIRGL_CCMD_BLIT;
241 cmd[i++] = 0x8000001; // s0
242 cmd[i++] = 0; // minxy
243 cmd[i++] = 0; // maxxy
244 cmd[i++] = 10; //dhandle
245 cmd[i++] = 0; // dlevel
246 cmd[i++] = 1; //dformat
247 cmd[i++] = 0; //dx
248 cmd[i++] = 0; // dy
249 cmd[i++] = 0; // dz
250 cmd[i++] = 0; //dw
251 cmd[i++] = 0; // dh
252 cmd[i++] = 0; // dd
253 cmd[i++] = 10; //shandle
254 cmd[i++] = 0; //slevel
255 cmd[i++] = 0; //sformat
256 cmd[i++] = 0; //sx
257 cmd[i++] = 0; // sy
258 cmd[i++] = 0; // sz
259 cmd[i++] = 0; // sw
260 cmd[i++] = 0; // sh
261 cmd[i++] = 0; // sd
262
263 virgl_renderer_submit_cmd((void *) cmd, ctx_id, VIRGL_CMD_BLIT_SIZE + 1);
264 }
265
266 /* #142 */
test_format_is_plain_nullptr_deref_trigger()267 static void test_format_is_plain_nullptr_deref_trigger()
268 {
269 struct virgl_renderer_resource_create_args args;
270 args.handle = 10;
271 args.target = 0;
272 args.format = 126;
273 args.bind = 2;
274 args.width = 10;
275 args.height = 10;
276 args.depth = 10;
277 args.array_size = 0;
278 args.last_level = 0;
279 args.nr_samples = 0;
280 args.flags = 0;
281
282 virgl_renderer_resource_create(&args, NULL, 0);
283 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
284
285 uint32_t cmd[VIRGL_CMD_BLIT_SIZE + 1];
286
287 int i = 0;
288 cmd[i++] = VIRGL_CMD_BLIT_SIZE << 16 | 0 << 8 | VIRGL_CCMD_BLIT;
289 cmd[i++] = 0; // s0
290 cmd[i++] = 0; // minxy
291 cmd[i++] = 0; // maxxy
292 cmd[i++] = 10; //dhandle
293 cmd[i++] = 0; // dlevel
294 cmd[i++] = 445382656; //dformat
295 cmd[i++] = 3; //dx
296 cmd[i++] = 0; // dy
297 cmd[i++] = 0; // dz
298 cmd[i++] = 0; //dw
299 cmd[i++] = 0; // dh
300 cmd[i++] = 0; // dd
301 cmd[i++] = 10; //shandle
302 cmd[i++] = 0; //slevel
303 cmd[i++] = 126; //sformat
304 cmd[i++] = 0; //sx
305 cmd[i++] = 0; // sy
306 cmd[i++] = 0; // sz
307 cmd[i++] = 0; // sw
308 cmd[i++] = 3; // sh
309 cmd[i++] = 0; // sd
310
311 virgl_renderer_submit_cmd((void *) cmd, ctx_id, VIRGL_CMD_BLIT_SIZE + 1);
312 }
313
314 /* Issue #143 */
test_format_util_format_is_rgb_nullptr_deref_trigger_illegal_resource()315 static void test_format_util_format_is_rgb_nullptr_deref_trigger_illegal_resource()
316 {
317 struct virgl_renderer_resource_create_args args;
318 args.handle = 8;
319 args.target = 0;
320 args.format = 109;
321 args.bind = 8;
322 args.width = 2;
323 args.height = 0;
324 args.depth = 0;
325 args.array_size = 0;
326 args.last_level = 0;
327 args.nr_samples = 0;
328 args.flags = 0;
329
330 virgl_renderer_resource_create(&args, NULL, 0);
331 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
332
333 uint32_t cmd[VIRGL_OBJ_SAMPLER_VIEW_SIZE + 1];
334
335 int i = 0;
336 cmd[i++] = VIRGL_OBJ_SAMPLER_VIEW_SIZE << 16 | VIRGL_OBJECT_SAMPLER_VIEW << 8 | VIRGL_CCMD_CREATE_OBJECT;
337 cmd[i++] = 35; // handle
338 cmd[i++] = 8; // res_handle
339 cmd[i++] = 3107; //format
340 cmd[i++] = 0; //first element
341 cmd[i++] = 0; // last element
342 cmd[i++] = 0; //swizzle
343
344 virgl_renderer_submit_cmd((void *) cmd, ctx_id, VIRGL_OBJ_SAMPLER_VIEW_SIZE + 1);
345 }
346
test_format_util_format_is_rgb_nullptr_deref_trigger()347 static void test_format_util_format_is_rgb_nullptr_deref_trigger()
348 {
349 struct virgl_renderer_resource_create_args args;
350 args.handle = 8;
351 args.target = 1;
352 args.format = 109;
353 args.bind = 8;
354 args.width = 2;
355 args.height = 2;
356 args.depth = 0;
357 args.array_size = 0;
358 args.last_level = 0;
359 args.nr_samples = 0;
360 args.flags = 0;
361
362 virgl_renderer_resource_create(&args, NULL, 0);
363 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
364
365 uint32_t cmd[VIRGL_OBJ_SAMPLER_VIEW_SIZE + 1];
366
367 int i = 0;
368 cmd[i++] = VIRGL_OBJ_SAMPLER_VIEW_SIZE << 16 | VIRGL_OBJECT_SAMPLER_VIEW << 8 | VIRGL_CCMD_CREATE_OBJECT;
369 cmd[i++] = 35; // handle
370 cmd[i++] = 8; // res_handle
371 cmd[i++] = 3107; //format
372 cmd[i++] = 0; //first element
373 cmd[i++] = 0; // last element
374 cmd[i++] = 0; //swizzle
375
376 virgl_renderer_submit_cmd((void *) cmd, ctx_id, VIRGL_OBJ_SAMPLER_VIEW_SIZE + 1);
377 }
378
379 /* Test as reported in #139 */
test_double_free_in_vrend_renderer_blit_int_trigger_invalid_formats()380 static void test_double_free_in_vrend_renderer_blit_int_trigger_invalid_formats()
381 {
382 struct virgl_renderer_resource_create_args args;
383 args.handle = 1;
384 args.target = 0;
385 args.format = 262144;
386 args.bind = 131072;
387 args.width = 1;
388 args.height = 1;
389 args.depth = 1;
390 args.array_size = 0;
391 args.last_level = 0;
392 args.nr_samples = 0;
393 args.flags = 0;
394
395 virgl_renderer_resource_create(&args, NULL, 0);
396 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
397
398 args.handle = 6;
399 args.target = 4;
400 args.format = 1;
401 args.bind = 2;
402 args.width = 2;
403 args.height = 0;
404 args.depth = 1;
405 args.array_size = 6;
406 args.last_level = 2;
407 args.nr_samples = 0;
408 args.flags = 0;
409
410 virgl_renderer_resource_create(&args, NULL, 0);
411 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
412
413 args.handle = 1;
414 args.target = 7;
415 args.format = 237;
416 args.bind = 1;
417 args.width = 6;
418 args.height = 0;
419 args.depth = 1;
420 args.array_size = 0;
421 args.last_level = 0;
422 args.nr_samples = 6;
423 args.flags = 0;
424
425 virgl_renderer_resource_create(&args, NULL, 0);
426 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
427
428 uint32_t cmd[VIRGL_CMD_BLIT_SIZE + 1];
429
430 int i = 0;
431 cmd[i++] = VIRGL_CMD_BLIT_SIZE << 16 | 0 << 8 | VIRGL_CCMD_BLIT;
432 cmd[i++] = 17113104; // s0
433 cmd[i++] = 1; // minxy
434 cmd[i++] = 36; // maxxy
435 cmd[i++] = 6; //dhandle
436 cmd[i++] = 0; // dlevel
437 cmd[i++] = 0; //dformat
438 cmd[i++] = 0; //dx
439 cmd[i++] = 0; // dy
440 cmd[i++] = 0; // dz
441 cmd[i++] = 6; //dw
442 cmd[i++] = 0; // dh
443 cmd[i++] = 0; // dd
444 cmd[i++] = 1; //shandle
445 cmd[i++] = 0; //slevel
446 cmd[i++] = 0; //sformat
447 cmd[i++] = 0; //sx
448 cmd[i++] = 0; // sy
449 cmd[i++] = 268435456; // sz
450 cmd[i++] = 0; // sw
451 cmd[i++] = 0; // sh
452 cmd[i++] = 0; // sd
453
454 virgl_renderer_submit_cmd((void *) cmd, ctx_id, VIRGL_CMD_BLIT_SIZE + 1);
455 }
456
test_double_free_in_vrend_renderer_blit_int_trigger()457 static void test_double_free_in_vrend_renderer_blit_int_trigger()
458 {
459 struct virgl_renderer_resource_create_args args;
460 args.handle = 1;
461 args.target = 2;
462 args.format = VIRGL_FORMAT_Z32_UNORM;
463 args.bind = VIRGL_BIND_SAMPLER_VIEW;
464 args.width = 2;
465 args.height = 2;
466 args.depth = 1;
467 args.array_size = 0;
468 args.last_level = 0;
469 args.nr_samples = 1;
470 args.flags = 0;
471
472 virgl_renderer_resource_create(&args, NULL, 0);
473 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
474
475 args.handle = 6;
476 args.target = 2;
477 args.format = VIRGL_FORMAT_Z32_UNORM;
478 args.bind = VIRGL_BIND_SAMPLER_VIEW;
479 args.width = 2;
480 args.height = 2;
481 args.depth = 1;
482 args.array_size = 0;
483 args.last_level = 0;
484 args.nr_samples = 0;
485 args.flags = 0;
486
487 virgl_renderer_resource_create(&args, NULL, 0);
488 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
489
490 args.handle = 1;
491 args.target = 7;
492 args.format = VIRGL_FORMAT_Z32_UNORM;
493 args.bind = 1;
494 args.width = 6;
495 args.height = 1;
496 args.depth = 1;
497 args.array_size = 2;
498 args.last_level = 0;
499 args.nr_samples = 0;
500 args.flags = 0;
501
502 virgl_renderer_resource_create(&args, NULL, 0);
503 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
504
505 uint32_t cmd[VIRGL_CMD_BLIT_SIZE + 1];
506
507 int i = 0;
508 cmd[i++] = VIRGL_CMD_BLIT_SIZE << 16 | 0 << 8 | VIRGL_CCMD_BLIT;
509 cmd[i++] = 0x30 ; // s0
510 cmd[i++] = 1; // minxy
511 cmd[i++] = 36; // maxxy
512 cmd[i++] = 6; //dhandle
513 cmd[i++] = 0; // dlevel
514 cmd[i++] = VIRGL_FORMAT_Z32_UNORM; //dformat
515 cmd[i++] = 0; //dx
516 cmd[i++] = 0; // dy
517 cmd[i++] = 0; // dz
518 cmd[i++] = 6; //dw
519 cmd[i++] = 1; // dh
520 cmd[i++] = 1; // dd
521 cmd[i++] = 1; //shandle
522 cmd[i++] = 0; //slevel
523 cmd[i++] = VIRGL_FORMAT_Z32_UNORM; //sformat
524 cmd[i++] = 0; //sx
525 cmd[i++] = 0; // sy
526 cmd[i++] = 0; // sz
527 cmd[i++] = 1; // sw
528 cmd[i++] = 2; // sh
529 cmd[i++] = 1; // sd
530
531 virgl_renderer_submit_cmd((void *) cmd, ctx_id, VIRGL_CMD_BLIT_SIZE + 1);
532 }
533
534
test_format_is_has_alpha_nullptr_deref_trigger_original()535 static void test_format_is_has_alpha_nullptr_deref_trigger_original()
536 {
537 struct virgl_renderer_resource_create_args args;
538 args.handle = 8;
539 args.target = 0;
540 args.format = 10;
541 args.bind = 8;
542 args.width = 0;
543 args.height = 45;
544 args.depth = 35;
545 args.array_size = 0;
546 args.last_level = 0;
547 args.nr_samples = 0;
548 args.flags = 0;
549 virgl_renderer_resource_create(&args, NULL, 0);
550 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
551
552 uint32_t cmd[VIRGL_OBJ_SAMPLER_VIEW_SIZE + 1];
553
554 int i = 0;
555 cmd[i++] = VIRGL_OBJ_SAMPLER_VIEW_SIZE << 16 | VIRGL_OBJECT_SAMPLER_VIEW << 8 | VIRGL_CCMD_CREATE_OBJECT;
556 cmd[i++] = 35; //handle
557 cmd[i++] = 8; // res_handle
558 cmd[i++] = 524288; //format
559 cmd[i++] = 0; //first_ele
560 cmd[i++] = 0; //last_ele
561 cmd[i++] = 10; //swizzle
562
563 virgl_renderer_submit_cmd((void *) cmd, ctx_id, VIRGL_OBJ_SAMPLER_VIEW_SIZE + 1);
564 }
565
566
test_format_is_has_alpha_nullptr_deref_trigger_legal_resource()567 static void test_format_is_has_alpha_nullptr_deref_trigger_legal_resource()
568 {
569 struct virgl_renderer_resource_create_args args;
570 args.handle = 8;
571 args.target = 2;
572 args.format = 10;
573 args.bind = 8;
574 args.width = 10;
575 args.height = 45;
576 args.depth = 1;
577 args.array_size = 0;
578 args.last_level = 0;
579 args.nr_samples = 0;
580 args.flags = 0;
581 virgl_renderer_resource_create(&args, NULL, 0);
582 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
583
584 uint32_t cmd[VIRGL_OBJ_SAMPLER_VIEW_SIZE + 1];
585
586 int i = 0;
587 cmd[i++] = VIRGL_OBJ_SAMPLER_VIEW_SIZE << 16 | VIRGL_OBJECT_SAMPLER_VIEW << 8 | VIRGL_CCMD_CREATE_OBJECT;
588 cmd[i++] = 35; //handle
589 cmd[i++] = 8; // res_handle
590 cmd[i++] = 524288; //format
591 cmd[i++] = 0; //first_ele
592 cmd[i++] = 0; //last_ele
593 cmd[i++] = 10; //swizzle
594
595 virgl_renderer_submit_cmd((void *) cmd, ctx_id, VIRGL_OBJ_SAMPLER_VIEW_SIZE + 1);
596 }
597
test_heap_overflow_vrend_renderer_transfer_write_iov()598 static void test_heap_overflow_vrend_renderer_transfer_write_iov()
599 {
600 struct virgl_renderer_resource_create_args args;
601 args.handle = 4;
602 args.target = 0;
603 args.format = 4;
604 args.bind = 131072;
605 args.width = 0;
606 args.height = 1;
607 args.depth = 1;
608 args.array_size = 0;
609 args.last_level = 0;
610 args.nr_samples = 0;
611 args.flags = 0;
612
613 virgl_renderer_resource_create(&args, NULL, 0);
614 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
615
616 char data[16];
617 memset(data, 'A', 16);
618 uint32_t cmd[11 + 4 +1];
619
620 int i = 0;
621 cmd[i++] = (11+4) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE;
622 cmd[i++] = 4; // handle
623 cmd[i++] = 0; // level
624 cmd[i++] = 0; // usage
625 cmd[i++] = 0; // stride
626 cmd[i++] = 0; // layer_stride
627 cmd[i++] = 0; // x
628 cmd[i++] = 0; // y
629 cmd[i++] = 0; // z
630 cmd[i++] = 0x80000000; // w
631 cmd[i++] = 0; // h
632 cmd[i++] = 0; // d
633 memcpy(&cmd[i], data, 16);
634
635 virgl_renderer_submit_cmd((void *) cmd, ctx_id, 11 + 4 + 1);
636 }
637
test_heap_overflow_vrend_renderer_transfer_write_iov_compressed_tex()638 static void test_heap_overflow_vrend_renderer_transfer_write_iov_compressed_tex()
639 {
640 struct virgl_renderer_resource_create_args args;
641 args.handle = 1;
642 args.target = 5;
643 args.format = 203;
644 args.bind = 1;
645 args.width = 100;
646 args.height = 1;
647 args.depth = 1;
648 args.array_size = 0;
649 args.last_level = 0;
650 args.nr_samples = 0;
651 args.flags = 1;
652
653 virgl_renderer_resource_create(&args, NULL, 0);
654 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
655
656 char data[16];
657 memset(data, 'A', 16);
658 uint32_t cmd[11 + 4 +1];
659
660 int i = 0;
661 cmd[i++] = (11+4) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE;
662 cmd[i++] = 1; // handle
663 cmd[i++] = 0; // level
664 cmd[i++] = 0; // usage
665 cmd[i++] = 135168; // stride
666 cmd[i++] = 655361; // layer_stride
667 cmd[i++] = 1; // x
668 cmd[i++] = 0; // y
669 cmd[i++] = 0; // z
670 cmd[i++] = 5; // w
671 cmd[i++] = 1; // h
672 cmd[i++] = 0; // d
673 memcpy(&cmd[i], data, 16);
674
675 virgl_renderer_submit_cmd((void *) cmd, ctx_id, 11 + 4 + 1);
676 }
677
678
test_cs_nullpointer_deference()679 static void test_cs_nullpointer_deference()
680 {
681
682 struct virgl_renderer_resource_create_args args;
683 args.handle = 0x6e735f72;
684 args.target = 2;
685 args.format = 0x101;
686 args.bind = 0x19191919;
687 args.width = 0x19191919;
688 args.height = 0x19191919;
689 args.depth = 0x411959;
690 args.array_size = 0;
691 args.last_level = 0x19190000;
692 args.nr_samples = 0;
693 args.flags = 0x31313100;
694
695 virgl_renderer_resource_create(&args, NULL, 0);
696 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
697
698 uint32_t cmd[9];
699 int i = 0;
700 cmd[i++] = 0x0083925;
701 cmd[i++] = 0x00313131;
702 cmd[i++] = 0;
703 cmd[i++] = 0;
704 cmd[i++] = 0;
705 cmd[i++] = 0x25313131;
706 cmd[i++] = 0x39;
707 cmd[i++] = 0x0001370b;
708 cmd[i++] = 0x00340000;
709
710 virgl_renderer_submit_cmd((void *) cmd, ctx_id, 9);
711 }
712
test_vrend_set_signle_abo_heap_overflow()713 static void test_vrend_set_signle_abo_heap_overflow() {
714
715 struct virgl_renderer_resource_create_args args;
716 args.handle = 0x4c474572;
717 args.target = 0;
718 args.format = 0x43;
719 args.bind = 0x80000;
720 args.width = 0x5f5f616d;
721 args.height = 0x69667562;
722 args.depth = 0x726f706d;
723 args.array_size = 0xbbbbbb74;
724 args.last_level = 0xbbbbbbbb;
725 args.nr_samples = 0xbbbbbbbb;
726 args.flags = 0xff;
727
728 virgl_renderer_resource_create(&args, NULL, 0);
729 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
730
731 uint32_t cmd[0xde];
732 int i = 0;
733
734 cmd[i++] = 0x000e1919;
735 cmd[i++] = 0x00003f00;
736 cmd[i++] = 0xc7cf3000;
737 cmd[i++] = 0x00083907;
738 cmd[i++] = 0x6e73735f;
739 cmd[i++] = 0x32323232;
740 cmd[i++] = 0x19312161;
741 cmd[i++] = 0x19191919;
742 cmd[i++] = 0x19191919;
743 cmd[i++] = 0x19191919;
744 cmd[i++] = 0xffbe1959;
745 cmd[i++] = 0xbbbbbbff;
746 cmd[i++] = 0xbbbbbb29;
747 cmd[i++] = 0xbbbbbbbb;
748 cmd[i++] = 0x000000ff;
749 cmd[i++] = 0x000e1928;
750 cmd[i++] = 0x00000000;
751 cmd[i++] = 0x4111d000;
752 cmd[i++] = 0xfe010000;
753 cmd[i++] = 0x00000172;
754 cmd[i++] = 0x32323200;
755 cmd[i++] = 0xe6cedea2;
756 cmd[i++] = 0xe6e6e6e6;
757 cmd[i++] = 0x19191919;
758 cmd[i++] = 0x19191919;
759 cmd[i++] = 0xffbe1959;
760 cmd[i++] = 0xbbbbbbff;
761 cmd[i++] = 0xbbbbbbbb;
762 cmd[i++] = 0xbbbbbbbb;
763 cmd[i++] = 0x000000ff;
764 cmd[i++] = 0x000e1919;
765 cmd[i++] = 0x00000000;
766 cmd[i++] = 0xc7cfa400;
767 cmd[i++] = 0x00083907;
768 cmd[i++] = 0x6e73735f;
769 cmd[i++] = 0x32323232;
770 cmd[i++] = 0x19312161;
771 cmd[i++] = 0x19191919;
772 cmd[i++] = 0x19191919;
773 cmd[i++] = 0x19191919;
774 cmd[i++] = 0x00000159;
775 cmd[i++] = 0xbbbbbb00;
776 cmd[i++] = 0xbbbbbbbb;
777 cmd[i++] = 0xbbbbbbbb;
778 cmd[i++] = 0x000000ff;
779 cmd[i++] = 0x006e1928;
780 cmd[i++] = 0x00000000;
781 cmd[i++] = 0xbeee3000;
782 cmd[i++] = 0xe6e6ffff;
783 cmd[i++] = 0x19e6e6e6;
784 cmd[i++] = 0x19191919;
785 cmd[i++] = 0x59191919;
786 cmd[i++] = 0xffffbe19;
787 cmd[i++] = 0xbbbbbbbb;
788 cmd[i++] = 0xbbbbbbbb;
789 cmd[i++] = 0xffbbbbbb;
790 cmd[i++] = 0x19000000;
791 cmd[i++] = 0x00000e19;
792 cmd[i++] = 0x00000000;
793 cmd[i++] = 0x07c7cfa4;
794 cmd[i++] = 0x5f000839;
795 cmd[i++] = 0x326e7373;
796 cmd[i++] = 0x00390732;
797 cmd[i++] = 0x00000000;
798 cmd[i++] = 0x4111d000;
799 cmd[i++] = 0xfe010000;
800 cmd[i++] = 0x00000172;
801 cmd[i++] = 0x32323200;
802 cmd[i++] = 0xe6cedea2;
803 cmd[i++] = 0xe6e6e6e6;
804 cmd[i++] = 0x19191919;
805 cmd[i++] = 0x19191919;
806 cmd[i++] = 0xffbe1959;
807 cmd[i++] = 0xbbbbbbff;
808 cmd[i++] = 0xbbbbbbbb;
809 cmd[i++] = 0xbbbbbbbb;
810 cmd[i++] = 0x000000ff;
811 cmd[i++] = 0x000e1919;
812 cmd[i++] = 0x00000000;
813 cmd[i++] = 0xc7cfa400;
814 cmd[i++] = 0x00083907;
815 cmd[i++] = 0x6e73735f;
816 cmd[i++] = 0x32323232;
817 cmd[i++] = 0x19312161;
818 cmd[i++] = 0x19191919;
819 cmd[i++] = 0x19191919;
820 cmd[i++] = 0x19191919;
821 cmd[i++] = 0x00000159;
822 cmd[i++] = 0xbbbbbb00;
823 cmd[i++] = 0xbbbbbbbb;
824 cmd[i++] = 0xbbbbbbbb;
825 cmd[i++] = 0x000000ff;
826 cmd[i++] = 0x002e1928;
827 cmd[i++] = 0x00000000;
828 cmd[i++] = 0xbeee3000;
829 cmd[i++] = 0xe6e6ffff;
830 cmd[i++] = 0x19e6e6e6;
831 cmd[i++] = 0x19191919;
832 cmd[i++] = 0x59191919;
833 cmd[i++] = 0xffffbe19;
834 cmd[i++] = 0xbbbbbbbb;
835 cmd[i++] = 0xbbbbbbbb;
836 cmd[i++] = 0xffbbbbbb;
837 cmd[i++] = 0x19000000;
838 cmd[i++] = 0x00000a19;
839 cmd[i++] = 0x00000000;
840 cmd[i++] = 0x07c7cfa4;
841 cmd[i++] = 0x5f000839;
842 cmd[i++] = 0x326e7373;
843 cmd[i++] = 0x08390732;
844 cmd[i++] = 0x73735f00;
845 cmd[i++] = 0x3232326e;
846 cmd[i++] = 0x31216132;
847 cmd[i++] = 0x19191919;
848 cmd[i++] = 0x19191919;
849 cmd[i++] = 0x19191919;
850 cmd[i++] = 0x00015919;
851 cmd[i++] = 0xbbbb0000;
852 cmd[i++] = 0xbbbbbbbb;
853 cmd[i++] = 0x00bbbbbb;
854 cmd[i++] = 0x00000000;
855 cmd[i++] = 0x00000000;
856 cmd[i++] = 0x00000000;
857 cmd[i++] = 0x00000000;
858 cmd[i++] = 0x00000000;
859 cmd[i++] = 0x00000000;
860 cmd[i++] = 0x00000000;
861 cmd[i++] = 0x00000000;
862 cmd[i++] = 0x00000000;
863 cmd[i++] = 0x00000000;
864 cmd[i++] = 0x00000000;
865 cmd[i++] = 0x00000000;
866 cmd[i++] = 0x00000000;
867 cmd[i++] = 0x00000000;
868 cmd[i++] = 0x00000000;
869 cmd[i++] = 0x00000000;
870 cmd[i++] = 0x00000000;
871 cmd[i++] = 0xbbbb0000;
872 cmd[i++] = 0x000000ff;
873 cmd[i++] = 0x002e1928;
874 cmd[i++] = 0x00000000;
875 cmd[i++] = 0x08ee3000;
876 cmd[i++] = 0x73735f00;
877 cmd[i++] = 0x3232326e;
878 cmd[i++] = 0x31216132;
879 cmd[i++] = 0x19191919;
880 cmd[i++] = 0x19191919;
881 cmd[i++] = 0x19191919;
882 cmd[i++] = 0x00015919;
883 cmd[i++] = 0xbbbb0000;
884 cmd[i++] = 0xbbbbbbbb;
885 cmd[i++] = 0x00bbbbbb;
886 cmd[i++] = 0x00000000;
887 cmd[i++] = 0x00000000;
888 cmd[i++] = 0x00000000;
889 cmd[i++] = 0x00000000;
890 cmd[i++] = 0x00000000;
891 cmd[i++] = 0x00000000;
892 cmd[i++] = 0x00000000;
893 cmd[i++] = 0x00000000;
894 cmd[i++] = 0x00000000;
895 cmd[i++] = 0x00000000;
896 cmd[i++] = 0x00000000;
897 cmd[i++] = 0x00000000;
898 cmd[i++] = 0x00000000;
899 cmd[i++] = 0x00000000;
900 cmd[i++] = 0x00000000;
901 cmd[i++] = 0x00000000;
902 cmd[i++] = 0x00000000;
903 cmd[i++] = 0xbbbb0000;
904 cmd[i++] = 0x000000ff;
905 cmd[i++] = 0x002e1928;
906 cmd[i++] = 0x00000000;
907 cmd[i++] = 0xbeee3000;
908 cmd[i++] = 0xe6e6ffff;
909 cmd[i++] = 0x19e6e6e6;
910 cmd[i++] = 0x19191919;
911 cmd[i++] = 0x59191919;
912 cmd[i++] = 0xffffbe19;
913 cmd[i++] = 0xbbbbbbbb;
914 cmd[i++] = 0xbbbbbbbb;
915 cmd[i++] = 0xffbbbbbb;
916 cmd[i++] = 0x19000000;
917 cmd[i++] = 0x61323219;
918 cmd[i++] = 0x19193121;
919 cmd[i++] = 0x19191919;
920 cmd[i++] = 0x19191919;
921 cmd[i++] = 0xbbbbbb19;
922 cmd[i++] = 0xbbbbbbbb;
923 cmd[i++] = 0xffbbbbbb;
924 cmd[i++] = 0x28000000;
925 cmd[i++] = 0x00002e19;
926 cmd[i++] = 0x00000000;
927 cmd[i++] = 0xffbeee30;
928 cmd[i++] = 0x00cffeff;
929 cmd[i++] = 0x00000000;
930 cmd[i++] = 0x00000000;
931 cmd[i++] = 0x00000000;
932 cmd[i++] = 0x00000000;
933 cmd[i++] = 0x00006161;
934 cmd[i++] = 0x315d3100;
935 cmd[i++] = 0x00000000;
936 cmd[i++] = 0x00000000;
937 cmd[i++] = 0x00000000;
938 cmd[i++] = 0x00000000;
939 cmd[i++] = 0x00000000;
940 cmd[i++] = 0x00000000;
941 cmd[i++] = 0x00000000;
942 cmd[i++] = 0x00000000;
943 cmd[i++] = 0xbb000000;
944 cmd[i++] = 0xbbbbbbbb;
945 cmd[i++] = 0x000000ff;
946 cmd[i++] = 0x000e1919;
947 cmd[i++] = 0x00000000;
948 cmd[i++] = 0xc7cfa400;
949 cmd[i++] = 0x7865745f;
950 cmd[i++] = 0x00000000;
951 cmd[i++] = 0x65727574;
952 cmd[i++] = 0x0b87765f;
953 cmd[i++] = 0x40000137;
954 cmd[i++] = 0x00004000;
955 cmd[i++] = 0x00340034;
956
957 virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
958 }
959
test_vrend_set_shader_images_overflow()960 static void test_vrend_set_shader_images_overflow()
961 {
962 uint32_t num_shaders = PIPE_MAX_SHADER_IMAGES + 1;
963 uint32_t size = num_shaders * VIRGL_SET_SHADER_IMAGE_ELEMENT_SIZE + 3;
964 uint32_t cmd[size];
965 int i = 0;
966 cmd[i++] = ((size - 1)<< 16) | 0 << 8 | VIRGL_CCMD_SET_SHADER_IMAGES;
967 cmd[i++] = PIPE_SHADER_FRAGMENT;
968 memset(&cmd[i], 0, size - i);
969
970 virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
971 }
972
973 /* Test adapted from yaojun8558363@gmail.com:
974 * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250
975 */
test_vrend_3d_resource_overflow()976 static void test_vrend_3d_resource_overflow() {
977
978 struct virgl_renderer_resource_create_args resource;
979 resource.handle = 0x4c474572;
980 resource.target = PIPE_TEXTURE_2D_ARRAY;
981 resource.format = VIRGL_FORMAT_Z24X8_UNORM;
982 resource.nr_samples = 2;
983 resource.last_level = 0;
984 resource.array_size = 3;
985 resource.bind = VIRGL_BIND_SAMPLER_VIEW;
986 resource.depth = 1;
987 resource.width = 8;
988 resource.height = 4;
989 resource.flags = 0;
990
991 virgl_renderer_resource_create(&resource, NULL, 0);
992 virgl_renderer_ctx_attach_resource(ctx_id, resource.handle);
993
994 uint32_t size = 0x400;
995 uint32_t cmd[size];
996 int i = 0;
997 cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE;
998 cmd[i++] = resource.handle;
999 cmd[i++] = 0; // level
1000 cmd[i++] = 0; // usage
1001 cmd[i++] = 0; // stride
1002 cmd[i++] = 0; // layer_stride
1003 cmd[i++] = 0; // x
1004 cmd[i++] = 0; // y
1005 cmd[i++] = 0; // z
1006 cmd[i++] = 8; // w
1007 cmd[i++] = 4; // h
1008 cmd[i++] = 3; // d
1009 memset(&cmd[i], 0, size - i);
1010
1011 virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
1012 }
1013
1014
main()1015 int main()
1016 {
1017 initialize_environment();
1018
1019 test_format_wrong_size();
1020 test_format_fail_and_double_free();
1021 test_blit_info_format_check();
1022 test_blit_info_format_check_null_format();
1023 test_format_is_plain_nullptr_deref_trigger();
1024 test_format_util_format_is_rgb_nullptr_deref_trigger_illegal_resource();
1025 test_format_util_format_is_rgb_nullptr_deref_trigger();
1026 test_double_free_in_vrend_renderer_blit_int_trigger_invalid_formats();
1027 test_double_free_in_vrend_renderer_blit_int_trigger();
1028 test_format_is_has_alpha_nullptr_deref_trigger_original();
1029 test_format_is_has_alpha_nullptr_deref_trigger_legal_resource();
1030
1031 test_heap_overflow_vrend_renderer_transfer_write_iov();
1032 test_heap_overflow_vrend_renderer_transfer_write_iov_compressed_tex();
1033
1034 test_cs_nullpointer_deference();
1035 test_vrend_set_signle_abo_heap_overflow();
1036
1037 test_vrend_set_shader_images_overflow();
1038 test_vrend_3d_resource_overflow();
1039
1040 virgl_renderer_context_destroy(ctx_id);
1041 virgl_renderer_cleanup(&cookie);
1042 virgl_egl_destroy(test_egl);
1043
1044 return 0;
1045 }
1046