1 /**************************************************************************
2 *
3 * Copyright (C) 2019 Collabora Ltd
4 *
5 * Permission is hereby granted, free of charge, to any person obtaining a
6 * copy of this software and associated documentation files (the "Software"),
7 * to deal in the Software without restriction, including without limitation
8 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
9 * and/or sell copies of the Software, and to permit persons to whom the
10 * Software is furnished to do so, subject to the following conditions:
11 *
12 * The above copyright notice and this permission notice shall be included
13 * in all copies or substantial portions of the Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
18 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
19 * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
20 * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
21 * OTHER DEALINGS IN THE SOFTWARE.
22 *
23 **************************************************************************/
24
25 /*
26 This file contains tests that triggered bugs revealed by fuzzying
27 Thanks Matthew Shao for reporting these.
28 */
29
30 #include <stdint.h>
31 #include <stddef.h>
32 #include <sys/uio.h>
33 #include <assert.h>
34 #include <unistd.h>
35 #include <stdlib.h>
36 #include <string.h>
37
38 #include "virgl_hw.h"
39 #include "virgl_egl.h"
40 #include "virglrenderer.h"
41 #include "virgl_protocol.h"
42 #include "os/os_misc.h"
43 #include <epoxy/egl.h>
44
45
46 struct fuzzer_cookie
47 {
48 int dummy;
49 };
50
51 static struct fuzzer_cookie cookie;
52 static const uint32_t ctx_id = 1;
53 static struct virgl_egl *test_egl;
54
fuzzer_write_fence(UNUSED void * opaque,UNUSED uint32_t fence)55 static void fuzzer_write_fence(UNUSED void *opaque, UNUSED uint32_t fence) {}
56
57 static virgl_renderer_gl_context
fuzzer_create_gl_context(UNUSED void * cookie,UNUSED int scanout_idx,struct virgl_renderer_gl_ctx_param * param)58 fuzzer_create_gl_context(UNUSED void *cookie, UNUSED int scanout_idx,
59 struct virgl_renderer_gl_ctx_param *param)
60 {
61 struct virgl_gl_ctx_param vparams;
62 vparams.shared = false;
63 vparams.major_ver = param->major_ver;
64 vparams.minor_ver = param->minor_ver;
65 return virgl_egl_create_context(test_egl, &vparams);
66 }
67
fuzzer_destory_gl_context(UNUSED void * cookie,virgl_renderer_gl_context ctx)68 static void fuzzer_destory_gl_context(UNUSED void *cookie, virgl_renderer_gl_context ctx)
69 {
70 virgl_egl_destroy_context(test_egl, ctx);
71 }
72
fuzzer_make_current(UNUSED void * cookie,UNUSED int scanout_idx,virgl_renderer_gl_context ctx)73 static int fuzzer_make_current(UNUSED void *cookie, UNUSED int scanout_idx,
74 virgl_renderer_gl_context ctx)
75 {
76 return virgl_egl_make_context_current(test_egl, ctx);
77 }
78
79
80 static struct virgl_renderer_callbacks fuzzer_cbs = {
81 .version = 1,
82 .write_fence = fuzzer_write_fence,
83 .create_gl_context = fuzzer_create_gl_context,
84 .destroy_gl_context = fuzzer_destory_gl_context,
85 .make_current = fuzzer_make_current,
86 };
87
initialize_environment()88 static void initialize_environment()
89 {
90 setenv("LIBGL_ALWAYS_SOFTWARE", "true", 0);
91 setenv("GALLIUM_DRIVER", "softpipe", 0);
92 test_egl = virgl_egl_init(NULL, true, true);
93 assert(test_egl);
94
95 virgl_renderer_init(&cookie, VIRGL_RENDERER_USE_GLES|
96 VIRGL_RENDERER_USE_SURFACELESS, &fuzzer_cbs);
97
98 const char *name = "fuzzctx";
99 virgl_renderer_context_create(ctx_id, (unsigned)strlen(name), name);
100 }
101
test_format_wrong_size()102 static void test_format_wrong_size()
103 {
104 struct virgl_renderer_resource_create_args args;
105 args.handle = 10;
106 args.target = 3;
107 args.format = 10;
108 args.bind = 10;
109 args.width = 2;
110 args.height = 0;
111 args.depth = 0;
112 args.array_size = 0;
113 args.last_level = 0;
114 args.nr_samples = 0;
115 args.flags = 0;
116
117 virgl_renderer_resource_create(&args, NULL, 0);
118 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
119
120 uint32_t cmd[VIRGL_CMD_BLIT_SIZE + 1];
121
122 int i = 0;
123 cmd[i++] = VIRGL_CMD_BLIT_SIZE << 16 | 0 << 8 | VIRGL_CCMD_BLIT;
124 cmd[i++] = 0x8000001; // s0
125 cmd[i++] = 0; // minxy
126 cmd[i++] = 0; // maxxy
127 cmd[i++] = 10; //dhandle
128 cmd[i++] = 0; // dlevel
129 cmd[i++] = 0x1000029; //dformat
130 cmd[i++] = 0; //dx
131 cmd[i++] = 0; // dy
132 cmd[i++] = 0; // dz
133 cmd[i++] = 0; //dw
134 cmd[i++] = 0; // dh
135 cmd[i++] = 0; // dd
136 cmd[i++] = 10; //shandle
137 cmd[i++] = 0; //slevel
138 cmd[i++] = 0; //sformat
139 cmd[i++] = 0; //sx
140 cmd[i++] = 0; // sy
141 cmd[i++] = 0; // sz
142 cmd[i++] = 0; // sw
143 cmd[i++] = 0; // sh
144 cmd[i++] = 0; // sd
145
146 virgl_renderer_submit_cmd((void *) cmd, ctx_id, VIRGL_CMD_BLIT_SIZE + 1);
147 }
148
test_format_fail_and_double_free()149 static void test_format_fail_and_double_free()
150 {
151 struct virgl_renderer_resource_create_args args;
152
153 args.handle = 1;
154 args.target = 3;
155 args.format = 191;
156 args.bind = 10;
157 args.width = 49;
158 args.height = 0;
159 args.depth = 0;
160 args.array_size = 0;
161 args.last_level = 0;
162 args.nr_samples = 0;
163 args.flags = 0;
164
165 virgl_renderer_resource_create(&args, NULL, 0);
166 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
167 }
168
169
170
171
172 /* Issue #141 */
test_blit_info_format_check()173 static void test_blit_info_format_check()
174 {
175 struct virgl_renderer_resource_create_args args;
176 args.handle = 10;
177 args.target = 3;
178 args.format = 10;
179 args.bind = 10;
180 args.width = 2;
181 args.height = 1;
182 args.depth = 1;
183 args.array_size = 0;
184 args.last_level = 0;
185 args.nr_samples = 0;
186 args.flags = 0;
187
188 virgl_renderer_resource_create(&args, NULL, 0);
189 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
190
191 uint32_t cmd[VIRGL_CMD_BLIT_SIZE + 1];
192
193 int i = 0;
194 cmd[i++] = VIRGL_CMD_BLIT_SIZE << 16 | 0 << 8 | VIRGL_CCMD_BLIT;
195 cmd[i++] = 0x8000001; // s0
196 cmd[i++] = 0; // minxy
197 cmd[i++] = 0; // maxxy
198 cmd[i++] = 10; //dhandle
199 cmd[i++] = 0; // dlevel
200 cmd[i++] = 0x1000029; //dformat
201 cmd[i++] = 0; //dx
202 cmd[i++] = 0; // dy
203 cmd[i++] = 0; // dz
204 cmd[i++] = 0; //dw
205 cmd[i++] = 0; // dh
206 cmd[i++] = 0; // dd
207 cmd[i++] = 10; //shandle
208 cmd[i++] = 0; //slevel
209 cmd[i++] = 10; //sformat
210 cmd[i++] = 0; //sx
211 cmd[i++] = 0; // sy
212 cmd[i++] = 0; // sz
213 cmd[i++] = 0; // sw
214 cmd[i++] = 0; // sh
215 cmd[i++] = 0; // sd
216
217 virgl_renderer_submit_cmd((void *) cmd, ctx_id, VIRGL_CMD_BLIT_SIZE + 1);
218 }
219
test_blit_info_format_check_null_format()220 static void test_blit_info_format_check_null_format()
221 {
222 struct virgl_renderer_resource_create_args args;
223 args.handle = 10;
224 args.target = 3;
225 args.format = 10;
226 args.bind = 10;
227 args.width = 2;
228 args.height = 1;
229 args.depth = 1;
230 args.array_size = 0;
231 args.last_level = 0;
232 args.nr_samples = 0;
233 args.flags = 0;
234
235 virgl_renderer_resource_create(&args, NULL, 0);
236 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
237
238 uint32_t cmd[VIRGL_CMD_BLIT_SIZE + 1];
239
240 int i = 0;
241 cmd[i++] = VIRGL_CMD_BLIT_SIZE << 16 | 0 << 8 | VIRGL_CCMD_BLIT;
242 cmd[i++] = 0x8000001; // s0
243 cmd[i++] = 0; // minxy
244 cmd[i++] = 0; // maxxy
245 cmd[i++] = 10; //dhandle
246 cmd[i++] = 0; // dlevel
247 cmd[i++] = 1; //dformat
248 cmd[i++] = 0; //dx
249 cmd[i++] = 0; // dy
250 cmd[i++] = 0; // dz
251 cmd[i++] = 0; //dw
252 cmd[i++] = 0; // dh
253 cmd[i++] = 0; // dd
254 cmd[i++] = 10; //shandle
255 cmd[i++] = 0; //slevel
256 cmd[i++] = 0; //sformat
257 cmd[i++] = 0; //sx
258 cmd[i++] = 0; // sy
259 cmd[i++] = 0; // sz
260 cmd[i++] = 0; // sw
261 cmd[i++] = 0; // sh
262 cmd[i++] = 0; // sd
263
264 virgl_renderer_submit_cmd((void *) cmd, ctx_id, VIRGL_CMD_BLIT_SIZE + 1);
265 }
266
267 /* #142 */
test_format_is_plain_nullptr_deref_trigger()268 static void test_format_is_plain_nullptr_deref_trigger()
269 {
270 struct virgl_renderer_resource_create_args args;
271 args.handle = 10;
272 args.target = 0;
273 args.format = 126;
274 args.bind = 2;
275 args.width = 10;
276 args.height = 10;
277 args.depth = 10;
278 args.array_size = 0;
279 args.last_level = 0;
280 args.nr_samples = 0;
281 args.flags = 0;
282
283 virgl_renderer_resource_create(&args, NULL, 0);
284 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
285
286 uint32_t cmd[VIRGL_CMD_BLIT_SIZE + 1];
287
288 int i = 0;
289 cmd[i++] = VIRGL_CMD_BLIT_SIZE << 16 | 0 << 8 | VIRGL_CCMD_BLIT;
290 cmd[i++] = 0; // s0
291 cmd[i++] = 0; // minxy
292 cmd[i++] = 0; // maxxy
293 cmd[i++] = 10; //dhandle
294 cmd[i++] = 0; // dlevel
295 cmd[i++] = 445382656; //dformat
296 cmd[i++] = 3; //dx
297 cmd[i++] = 0; // dy
298 cmd[i++] = 0; // dz
299 cmd[i++] = 0; //dw
300 cmd[i++] = 0; // dh
301 cmd[i++] = 0; // dd
302 cmd[i++] = 10; //shandle
303 cmd[i++] = 0; //slevel
304 cmd[i++] = 126; //sformat
305 cmd[i++] = 0; //sx
306 cmd[i++] = 0; // sy
307 cmd[i++] = 0; // sz
308 cmd[i++] = 0; // sw
309 cmd[i++] = 3; // sh
310 cmd[i++] = 0; // sd
311
312 virgl_renderer_submit_cmd((void *) cmd, ctx_id, VIRGL_CMD_BLIT_SIZE + 1);
313 }
314
315 /* Issue #143 */
test_format_util_format_is_rgb_nullptr_deref_trigger_illegal_resource()316 static void test_format_util_format_is_rgb_nullptr_deref_trigger_illegal_resource()
317 {
318 struct virgl_renderer_resource_create_args args;
319 args.handle = 8;
320 args.target = 0;
321 args.format = 109;
322 args.bind = 8;
323 args.width = 2;
324 args.height = 0;
325 args.depth = 0;
326 args.array_size = 0;
327 args.last_level = 0;
328 args.nr_samples = 0;
329 args.flags = 0;
330
331 virgl_renderer_resource_create(&args, NULL, 0);
332 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
333
334 uint32_t cmd[VIRGL_OBJ_SAMPLER_VIEW_SIZE + 1];
335
336 int i = 0;
337 cmd[i++] = VIRGL_OBJ_SAMPLER_VIEW_SIZE << 16 | VIRGL_OBJECT_SAMPLER_VIEW << 8 | VIRGL_CCMD_CREATE_OBJECT;
338 cmd[i++] = 35; // handle
339 cmd[i++] = 8; // res_handle
340 cmd[i++] = 3107; //format
341 cmd[i++] = 0; //first element
342 cmd[i++] = 0; // last element
343 cmd[i++] = 0; //swizzle
344
345 virgl_renderer_submit_cmd((void *) cmd, ctx_id, VIRGL_OBJ_SAMPLER_VIEW_SIZE + 1);
346 }
347
test_format_util_format_is_rgb_nullptr_deref_trigger()348 static void test_format_util_format_is_rgb_nullptr_deref_trigger()
349 {
350 struct virgl_renderer_resource_create_args args;
351 args.handle = 8;
352 args.target = 1;
353 args.format = 109;
354 args.bind = 8;
355 args.width = 2;
356 args.height = 2;
357 args.depth = 0;
358 args.array_size = 0;
359 args.last_level = 0;
360 args.nr_samples = 0;
361 args.flags = 0;
362
363 virgl_renderer_resource_create(&args, NULL, 0);
364 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
365
366 uint32_t cmd[VIRGL_OBJ_SAMPLER_VIEW_SIZE + 1];
367
368 int i = 0;
369 cmd[i++] = VIRGL_OBJ_SAMPLER_VIEW_SIZE << 16 | VIRGL_OBJECT_SAMPLER_VIEW << 8 | VIRGL_CCMD_CREATE_OBJECT;
370 cmd[i++] = 35; // handle
371 cmd[i++] = 8; // res_handle
372 cmd[i++] = 3107; //format
373 cmd[i++] = 0; //first element
374 cmd[i++] = 0; // last element
375 cmd[i++] = 0; //swizzle
376
377 virgl_renderer_submit_cmd((void *) cmd, ctx_id, VIRGL_OBJ_SAMPLER_VIEW_SIZE + 1);
378 }
379
380 /* Test as reported in #139 */
test_double_free_in_vrend_renderer_blit_int_trigger_invalid_formats()381 static void test_double_free_in_vrend_renderer_blit_int_trigger_invalid_formats()
382 {
383 struct virgl_renderer_resource_create_args args;
384 args.handle = 1;
385 args.target = 0;
386 args.format = 262144;
387 args.bind = 131072;
388 args.width = 1;
389 args.height = 1;
390 args.depth = 1;
391 args.array_size = 0;
392 args.last_level = 0;
393 args.nr_samples = 0;
394 args.flags = 0;
395
396 virgl_renderer_resource_create(&args, NULL, 0);
397 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
398
399 args.handle = 6;
400 args.target = 4;
401 args.format = 1;
402 args.bind = 2;
403 args.width = 2;
404 args.height = 0;
405 args.depth = 1;
406 args.array_size = 6;
407 args.last_level = 2;
408 args.nr_samples = 0;
409 args.flags = 0;
410
411 virgl_renderer_resource_create(&args, NULL, 0);
412 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
413
414 args.handle = 1;
415 args.target = 7;
416 args.format = 237;
417 args.bind = 1;
418 args.width = 6;
419 args.height = 0;
420 args.depth = 1;
421 args.array_size = 0;
422 args.last_level = 0;
423 args.nr_samples = 6;
424 args.flags = 0;
425
426 virgl_renderer_resource_create(&args, NULL, 0);
427 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
428
429 uint32_t cmd[VIRGL_CMD_BLIT_SIZE + 1];
430
431 int i = 0;
432 cmd[i++] = VIRGL_CMD_BLIT_SIZE << 16 | 0 << 8 | VIRGL_CCMD_BLIT;
433 cmd[i++] = 17113104; // s0
434 cmd[i++] = 1; // minxy
435 cmd[i++] = 36; // maxxy
436 cmd[i++] = 6; //dhandle
437 cmd[i++] = 0; // dlevel
438 cmd[i++] = 0; //dformat
439 cmd[i++] = 0; //dx
440 cmd[i++] = 0; // dy
441 cmd[i++] = 0; // dz
442 cmd[i++] = 6; //dw
443 cmd[i++] = 0; // dh
444 cmd[i++] = 0; // dd
445 cmd[i++] = 1; //shandle
446 cmd[i++] = 0; //slevel
447 cmd[i++] = 0; //sformat
448 cmd[i++] = 0; //sx
449 cmd[i++] = 0; // sy
450 cmd[i++] = 268435456; // sz
451 cmd[i++] = 0; // sw
452 cmd[i++] = 0; // sh
453 cmd[i++] = 0; // sd
454
455 virgl_renderer_submit_cmd((void *) cmd, ctx_id, VIRGL_CMD_BLIT_SIZE + 1);
456 }
457
test_double_free_in_vrend_renderer_blit_int_trigger()458 static void test_double_free_in_vrend_renderer_blit_int_trigger()
459 {
460 struct virgl_renderer_resource_create_args args;
461 args.handle = 1;
462 args.target = 2;
463 args.format = VIRGL_FORMAT_Z32_UNORM;
464 args.bind = VIRGL_BIND_SAMPLER_VIEW;
465 args.width = 2;
466 args.height = 2;
467 args.depth = 1;
468 args.array_size = 0;
469 args.last_level = 0;
470 args.nr_samples = 1;
471 args.flags = 0;
472
473 virgl_renderer_resource_create(&args, NULL, 0);
474 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
475
476 args.handle = 6;
477 args.target = 2;
478 args.format = VIRGL_FORMAT_Z32_UNORM;
479 args.bind = VIRGL_BIND_SAMPLER_VIEW;
480 args.width = 2;
481 args.height = 2;
482 args.depth = 1;
483 args.array_size = 0;
484 args.last_level = 0;
485 args.nr_samples = 0;
486 args.flags = 0;
487
488 virgl_renderer_resource_create(&args, NULL, 0);
489 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
490
491 args.handle = 1;
492 args.target = 7;
493 args.format = VIRGL_FORMAT_Z32_UNORM;
494 args.bind = 1;
495 args.width = 6;
496 args.height = 1;
497 args.depth = 1;
498 args.array_size = 2;
499 args.last_level = 0;
500 args.nr_samples = 0;
501 args.flags = 0;
502
503 virgl_renderer_resource_create(&args, NULL, 0);
504 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
505
506 uint32_t cmd[VIRGL_CMD_BLIT_SIZE + 1];
507
508 int i = 0;
509 cmd[i++] = VIRGL_CMD_BLIT_SIZE << 16 | 0 << 8 | VIRGL_CCMD_BLIT;
510 cmd[i++] = 0x30 ; // s0
511 cmd[i++] = 1; // minxy
512 cmd[i++] = 36; // maxxy
513 cmd[i++] = 6; //dhandle
514 cmd[i++] = 0; // dlevel
515 cmd[i++] = VIRGL_FORMAT_Z32_UNORM; //dformat
516 cmd[i++] = 0; //dx
517 cmd[i++] = 0; // dy
518 cmd[i++] = 0; // dz
519 cmd[i++] = 6; //dw
520 cmd[i++] = 1; // dh
521 cmd[i++] = 1; // dd
522 cmd[i++] = 1; //shandle
523 cmd[i++] = 0; //slevel
524 cmd[i++] = VIRGL_FORMAT_Z32_UNORM; //sformat
525 cmd[i++] = 0; //sx
526 cmd[i++] = 0; // sy
527 cmd[i++] = 0; // sz
528 cmd[i++] = 1; // sw
529 cmd[i++] = 2; // sh
530 cmd[i++] = 1; // sd
531
532 virgl_renderer_submit_cmd((void *) cmd, ctx_id, VIRGL_CMD_BLIT_SIZE + 1);
533 }
534
535
test_format_is_has_alpha_nullptr_deref_trigger_original()536 static void test_format_is_has_alpha_nullptr_deref_trigger_original()
537 {
538 struct virgl_renderer_resource_create_args args;
539 args.handle = 8;
540 args.target = 0;
541 args.format = 10;
542 args.bind = 8;
543 args.width = 0;
544 args.height = 45;
545 args.depth = 35;
546 args.array_size = 0;
547 args.last_level = 0;
548 args.nr_samples = 0;
549 args.flags = 0;
550 virgl_renderer_resource_create(&args, NULL, 0);
551 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
552
553 uint32_t cmd[VIRGL_OBJ_SAMPLER_VIEW_SIZE + 1];
554
555 int i = 0;
556 cmd[i++] = VIRGL_OBJ_SAMPLER_VIEW_SIZE << 16 | VIRGL_OBJECT_SAMPLER_VIEW << 8 | VIRGL_CCMD_CREATE_OBJECT;
557 cmd[i++] = 35; //handle
558 cmd[i++] = 8; // res_handle
559 cmd[i++] = 524288; //format
560 cmd[i++] = 0; //first_ele
561 cmd[i++] = 0; //last_ele
562 cmd[i++] = 10; //swizzle
563
564 virgl_renderer_submit_cmd((void *) cmd, ctx_id, VIRGL_OBJ_SAMPLER_VIEW_SIZE + 1);
565 }
566
567
test_format_is_has_alpha_nullptr_deref_trigger_legal_resource()568 static void test_format_is_has_alpha_nullptr_deref_trigger_legal_resource()
569 {
570 struct virgl_renderer_resource_create_args args;
571 args.handle = 8;
572 args.target = 2;
573 args.format = 10;
574 args.bind = 8;
575 args.width = 10;
576 args.height = 45;
577 args.depth = 1;
578 args.array_size = 0;
579 args.last_level = 0;
580 args.nr_samples = 0;
581 args.flags = 0;
582 virgl_renderer_resource_create(&args, NULL, 0);
583 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
584
585 uint32_t cmd[VIRGL_OBJ_SAMPLER_VIEW_SIZE + 1];
586
587 int i = 0;
588 cmd[i++] = VIRGL_OBJ_SAMPLER_VIEW_SIZE << 16 | VIRGL_OBJECT_SAMPLER_VIEW << 8 | VIRGL_CCMD_CREATE_OBJECT;
589 cmd[i++] = 35; //handle
590 cmd[i++] = 8; // res_handle
591 cmd[i++] = 524288; //format
592 cmd[i++] = 0; //first_ele
593 cmd[i++] = 0; //last_ele
594 cmd[i++] = 10; //swizzle
595
596 virgl_renderer_submit_cmd((void *) cmd, ctx_id, VIRGL_OBJ_SAMPLER_VIEW_SIZE + 1);
597 }
598
test_heap_overflow_vrend_renderer_transfer_write_iov()599 static void test_heap_overflow_vrend_renderer_transfer_write_iov()
600 {
601 struct virgl_renderer_resource_create_args args;
602 args.handle = 4;
603 args.target = 0;
604 args.format = 4;
605 args.bind = 131072;
606 args.width = 0;
607 args.height = 1;
608 args.depth = 1;
609 args.array_size = 0;
610 args.last_level = 0;
611 args.nr_samples = 0;
612 args.flags = 0;
613
614 virgl_renderer_resource_create(&args, NULL, 0);
615 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
616
617 char data[16];
618 memset(data, 'A', 16);
619 uint32_t cmd[11 + 4 +1];
620
621 int i = 0;
622 cmd[i++] = (11+4) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE;
623 cmd[i++] = 4; // handle
624 cmd[i++] = 0; // level
625 cmd[i++] = 0; // usage
626 cmd[i++] = 0; // stride
627 cmd[i++] = 0; // layer_stride
628 cmd[i++] = 0; // x
629 cmd[i++] = 0; // y
630 cmd[i++] = 0; // z
631 cmd[i++] = 0x80000000; // w
632 cmd[i++] = 0; // h
633 cmd[i++] = 0; // d
634 memcpy(&cmd[i], data, 16);
635
636 virgl_renderer_submit_cmd((void *) cmd, ctx_id, 11 + 4 + 1);
637 }
638
test_heap_overflow_vrend_renderer_transfer_write_iov_compressed_tex()639 static void test_heap_overflow_vrend_renderer_transfer_write_iov_compressed_tex()
640 {
641 struct virgl_renderer_resource_create_args args;
642 args.handle = 1;
643 args.target = 5;
644 args.format = 203;
645 args.bind = 1;
646 args.width = 100;
647 args.height = 1;
648 args.depth = 1;
649 args.array_size = 0;
650 args.last_level = 0;
651 args.nr_samples = 0;
652 args.flags = 1;
653
654 virgl_renderer_resource_create(&args, NULL, 0);
655 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
656
657 char data[16];
658 memset(data, 'A', 16);
659 uint32_t cmd[11 + 4 +1];
660
661 int i = 0;
662 cmd[i++] = (11+4) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE;
663 cmd[i++] = 1; // handle
664 cmd[i++] = 0; // level
665 cmd[i++] = 0; // usage
666 cmd[i++] = 135168; // stride
667 cmd[i++] = 655361; // layer_stride
668 cmd[i++] = 1; // x
669 cmd[i++] = 0; // y
670 cmd[i++] = 0; // z
671 cmd[i++] = 5; // w
672 cmd[i++] = 1; // h
673 cmd[i++] = 0; // d
674 memcpy(&cmd[i], data, 16);
675
676 virgl_renderer_submit_cmd((void *) cmd, ctx_id, 11 + 4 + 1);
677 }
678
679
test_cs_nullpointer_deference()680 static void test_cs_nullpointer_deference()
681 {
682
683 struct virgl_renderer_resource_create_args args;
684 args.handle = 0x6e735f72;
685 args.target = 2;
686 args.format = 0x101;
687 args.bind = 0x19191919;
688 args.width = 0x19191919;
689 args.height = 0x19191919;
690 args.depth = 0x411959;
691 args.array_size = 0;
692 args.last_level = 0x19190000;
693 args.nr_samples = 0;
694 args.flags = 0x31313100;
695
696 virgl_renderer_resource_create(&args, NULL, 0);
697 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
698
699 uint32_t cmd[9];
700 int i = 0;
701 cmd[i++] = 0x0083925;
702 cmd[i++] = 0x00313131;
703 cmd[i++] = 0;
704 cmd[i++] = 0;
705 cmd[i++] = 0;
706 cmd[i++] = 0x25313131;
707 cmd[i++] = 0x39;
708 cmd[i++] = 0x0001370b;
709 cmd[i++] = 0x00340000;
710
711 virgl_renderer_submit_cmd((void *) cmd, ctx_id, 9);
712 }
713
test_vrend_set_signle_abo_heap_overflow()714 static void test_vrend_set_signle_abo_heap_overflow() {
715
716 struct virgl_renderer_resource_create_args args;
717 args.handle = 0x4c474572;
718 args.target = 0;
719 args.format = 0x43;
720 args.bind = 0x80000;
721 args.width = 0x5f5f616d;
722 args.height = 0x69667562;
723 args.depth = 0x726f706d;
724 args.array_size = 0xbbbbbb74;
725 args.last_level = 0xbbbbbbbb;
726 args.nr_samples = 0xbbbbbbbb;
727 args.flags = 0xff;
728
729 virgl_renderer_resource_create(&args, NULL, 0);
730 virgl_renderer_ctx_attach_resource(ctx_id, args.handle);
731
732 uint32_t cmd[0xde];
733 int i = 0;
734
735 cmd[i++] = 0x000e1919;
736 cmd[i++] = 0x00003f00;
737 cmd[i++] = 0xc7cf3000;
738 cmd[i++] = 0x00083907;
739 cmd[i++] = 0x6e73735f;
740 cmd[i++] = 0x32323232;
741 cmd[i++] = 0x19312161;
742 cmd[i++] = 0x19191919;
743 cmd[i++] = 0x19191919;
744 cmd[i++] = 0x19191919;
745 cmd[i++] = 0xffbe1959;
746 cmd[i++] = 0xbbbbbbff;
747 cmd[i++] = 0xbbbbbb29;
748 cmd[i++] = 0xbbbbbbbb;
749 cmd[i++] = 0x000000ff;
750 cmd[i++] = 0x000e1928;
751 cmd[i++] = 0x00000000;
752 cmd[i++] = 0x4111d000;
753 cmd[i++] = 0xfe010000;
754 cmd[i++] = 0x00000172;
755 cmd[i++] = 0x32323200;
756 cmd[i++] = 0xe6cedea2;
757 cmd[i++] = 0xe6e6e6e6;
758 cmd[i++] = 0x19191919;
759 cmd[i++] = 0x19191919;
760 cmd[i++] = 0xffbe1959;
761 cmd[i++] = 0xbbbbbbff;
762 cmd[i++] = 0xbbbbbbbb;
763 cmd[i++] = 0xbbbbbbbb;
764 cmd[i++] = 0x000000ff;
765 cmd[i++] = 0x000e1919;
766 cmd[i++] = 0x00000000;
767 cmd[i++] = 0xc7cfa400;
768 cmd[i++] = 0x00083907;
769 cmd[i++] = 0x6e73735f;
770 cmd[i++] = 0x32323232;
771 cmd[i++] = 0x19312161;
772 cmd[i++] = 0x19191919;
773 cmd[i++] = 0x19191919;
774 cmd[i++] = 0x19191919;
775 cmd[i++] = 0x00000159;
776 cmd[i++] = 0xbbbbbb00;
777 cmd[i++] = 0xbbbbbbbb;
778 cmd[i++] = 0xbbbbbbbb;
779 cmd[i++] = 0x000000ff;
780 cmd[i++] = 0x006e1928;
781 cmd[i++] = 0x00000000;
782 cmd[i++] = 0xbeee3000;
783 cmd[i++] = 0xe6e6ffff;
784 cmd[i++] = 0x19e6e6e6;
785 cmd[i++] = 0x19191919;
786 cmd[i++] = 0x59191919;
787 cmd[i++] = 0xffffbe19;
788 cmd[i++] = 0xbbbbbbbb;
789 cmd[i++] = 0xbbbbbbbb;
790 cmd[i++] = 0xffbbbbbb;
791 cmd[i++] = 0x19000000;
792 cmd[i++] = 0x00000e19;
793 cmd[i++] = 0x00000000;
794 cmd[i++] = 0x07c7cfa4;
795 cmd[i++] = 0x5f000839;
796 cmd[i++] = 0x326e7373;
797 cmd[i++] = 0x00390732;
798 cmd[i++] = 0x00000000;
799 cmd[i++] = 0x4111d000;
800 cmd[i++] = 0xfe010000;
801 cmd[i++] = 0x00000172;
802 cmd[i++] = 0x32323200;
803 cmd[i++] = 0xe6cedea2;
804 cmd[i++] = 0xe6e6e6e6;
805 cmd[i++] = 0x19191919;
806 cmd[i++] = 0x19191919;
807 cmd[i++] = 0xffbe1959;
808 cmd[i++] = 0xbbbbbbff;
809 cmd[i++] = 0xbbbbbbbb;
810 cmd[i++] = 0xbbbbbbbb;
811 cmd[i++] = 0x000000ff;
812 cmd[i++] = 0x000e1919;
813 cmd[i++] = 0x00000000;
814 cmd[i++] = 0xc7cfa400;
815 cmd[i++] = 0x00083907;
816 cmd[i++] = 0x6e73735f;
817 cmd[i++] = 0x32323232;
818 cmd[i++] = 0x19312161;
819 cmd[i++] = 0x19191919;
820 cmd[i++] = 0x19191919;
821 cmd[i++] = 0x19191919;
822 cmd[i++] = 0x00000159;
823 cmd[i++] = 0xbbbbbb00;
824 cmd[i++] = 0xbbbbbbbb;
825 cmd[i++] = 0xbbbbbbbb;
826 cmd[i++] = 0x000000ff;
827 cmd[i++] = 0x002e1928;
828 cmd[i++] = 0x00000000;
829 cmd[i++] = 0xbeee3000;
830 cmd[i++] = 0xe6e6ffff;
831 cmd[i++] = 0x19e6e6e6;
832 cmd[i++] = 0x19191919;
833 cmd[i++] = 0x59191919;
834 cmd[i++] = 0xffffbe19;
835 cmd[i++] = 0xbbbbbbbb;
836 cmd[i++] = 0xbbbbbbbb;
837 cmd[i++] = 0xffbbbbbb;
838 cmd[i++] = 0x19000000;
839 cmd[i++] = 0x00000a19;
840 cmd[i++] = 0x00000000;
841 cmd[i++] = 0x07c7cfa4;
842 cmd[i++] = 0x5f000839;
843 cmd[i++] = 0x326e7373;
844 cmd[i++] = 0x08390732;
845 cmd[i++] = 0x73735f00;
846 cmd[i++] = 0x3232326e;
847 cmd[i++] = 0x31216132;
848 cmd[i++] = 0x19191919;
849 cmd[i++] = 0x19191919;
850 cmd[i++] = 0x19191919;
851 cmd[i++] = 0x00015919;
852 cmd[i++] = 0xbbbb0000;
853 cmd[i++] = 0xbbbbbbbb;
854 cmd[i++] = 0x00bbbbbb;
855 cmd[i++] = 0x00000000;
856 cmd[i++] = 0x00000000;
857 cmd[i++] = 0x00000000;
858 cmd[i++] = 0x00000000;
859 cmd[i++] = 0x00000000;
860 cmd[i++] = 0x00000000;
861 cmd[i++] = 0x00000000;
862 cmd[i++] = 0x00000000;
863 cmd[i++] = 0x00000000;
864 cmd[i++] = 0x00000000;
865 cmd[i++] = 0x00000000;
866 cmd[i++] = 0x00000000;
867 cmd[i++] = 0x00000000;
868 cmd[i++] = 0x00000000;
869 cmd[i++] = 0x00000000;
870 cmd[i++] = 0x00000000;
871 cmd[i++] = 0x00000000;
872 cmd[i++] = 0xbbbb0000;
873 cmd[i++] = 0x000000ff;
874 cmd[i++] = 0x002e1928;
875 cmd[i++] = 0x00000000;
876 cmd[i++] = 0x08ee3000;
877 cmd[i++] = 0x73735f00;
878 cmd[i++] = 0x3232326e;
879 cmd[i++] = 0x31216132;
880 cmd[i++] = 0x19191919;
881 cmd[i++] = 0x19191919;
882 cmd[i++] = 0x19191919;
883 cmd[i++] = 0x00015919;
884 cmd[i++] = 0xbbbb0000;
885 cmd[i++] = 0xbbbbbbbb;
886 cmd[i++] = 0x00bbbbbb;
887 cmd[i++] = 0x00000000;
888 cmd[i++] = 0x00000000;
889 cmd[i++] = 0x00000000;
890 cmd[i++] = 0x00000000;
891 cmd[i++] = 0x00000000;
892 cmd[i++] = 0x00000000;
893 cmd[i++] = 0x00000000;
894 cmd[i++] = 0x00000000;
895 cmd[i++] = 0x00000000;
896 cmd[i++] = 0x00000000;
897 cmd[i++] = 0x00000000;
898 cmd[i++] = 0x00000000;
899 cmd[i++] = 0x00000000;
900 cmd[i++] = 0x00000000;
901 cmd[i++] = 0x00000000;
902 cmd[i++] = 0x00000000;
903 cmd[i++] = 0x00000000;
904 cmd[i++] = 0xbbbb0000;
905 cmd[i++] = 0x000000ff;
906 cmd[i++] = 0x002e1928;
907 cmd[i++] = 0x00000000;
908 cmd[i++] = 0xbeee3000;
909 cmd[i++] = 0xe6e6ffff;
910 cmd[i++] = 0x19e6e6e6;
911 cmd[i++] = 0x19191919;
912 cmd[i++] = 0x59191919;
913 cmd[i++] = 0xffffbe19;
914 cmd[i++] = 0xbbbbbbbb;
915 cmd[i++] = 0xbbbbbbbb;
916 cmd[i++] = 0xffbbbbbb;
917 cmd[i++] = 0x19000000;
918 cmd[i++] = 0x61323219;
919 cmd[i++] = 0x19193121;
920 cmd[i++] = 0x19191919;
921 cmd[i++] = 0x19191919;
922 cmd[i++] = 0xbbbbbb19;
923 cmd[i++] = 0xbbbbbbbb;
924 cmd[i++] = 0xffbbbbbb;
925 cmd[i++] = 0x28000000;
926 cmd[i++] = 0x00002e19;
927 cmd[i++] = 0x00000000;
928 cmd[i++] = 0xffbeee30;
929 cmd[i++] = 0x00cffeff;
930 cmd[i++] = 0x00000000;
931 cmd[i++] = 0x00000000;
932 cmd[i++] = 0x00000000;
933 cmd[i++] = 0x00000000;
934 cmd[i++] = 0x00006161;
935 cmd[i++] = 0x315d3100;
936 cmd[i++] = 0x00000000;
937 cmd[i++] = 0x00000000;
938 cmd[i++] = 0x00000000;
939 cmd[i++] = 0x00000000;
940 cmd[i++] = 0x00000000;
941 cmd[i++] = 0x00000000;
942 cmd[i++] = 0x00000000;
943 cmd[i++] = 0x00000000;
944 cmd[i++] = 0xbb000000;
945 cmd[i++] = 0xbbbbbbbb;
946 cmd[i++] = 0x000000ff;
947 cmd[i++] = 0x000e1919;
948 cmd[i++] = 0x00000000;
949 cmd[i++] = 0xc7cfa400;
950 cmd[i++] = 0x7865745f;
951 cmd[i++] = 0x00000000;
952 cmd[i++] = 0x65727574;
953 cmd[i++] = 0x0b87765f;
954 cmd[i++] = 0x40000137;
955 cmd[i++] = 0x00004000;
956 cmd[i++] = 0x00340034;
957
958 virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
959 }
960
main()961 int main()
962 {
963 initialize_environment();
964
965 test_format_wrong_size();
966 test_format_fail_and_double_free();
967 test_blit_info_format_check();
968 test_blit_info_format_check_null_format();
969 test_format_is_plain_nullptr_deref_trigger();
970 test_format_util_format_is_rgb_nullptr_deref_trigger_illegal_resource();
971 test_format_util_format_is_rgb_nullptr_deref_trigger();
972 test_double_free_in_vrend_renderer_blit_int_trigger_invalid_formats();
973 test_double_free_in_vrend_renderer_blit_int_trigger();
974 test_format_is_has_alpha_nullptr_deref_trigger_original();
975 test_format_is_has_alpha_nullptr_deref_trigger_legal_resource();
976
977 test_heap_overflow_vrend_renderer_transfer_write_iov();
978 test_heap_overflow_vrend_renderer_transfer_write_iov_compressed_tex();
979
980 test_cs_nullpointer_deference();
981 test_vrend_set_signle_abo_heap_overflow();
982
983
984 virgl_renderer_context_destroy(ctx_id);
985 virgl_renderer_cleanup(&cookie);
986 virgl_egl_destroy(test_egl);
987
988 return 0;
989 }
990