From dbb887f01381e2529b8f38800845797a5e056b38 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Sat, 29 Jul 2023 19:12:09 +0200 Subject: [PATCH] asahi,agx: Fix stack buffer overflow in agx_link_varyings_vs_fs Discovered while running dEQP-EGL under address sanitizer. Fixes: f3877f56ba7 ("asahi,agx: Rewrite varying linking") Signed-off-by: Janne Grunau Part-of: (cherry picked from commit 3f8894b0f7c32856a868e255445610ee82efdf70) --- .pick_status.json | 2 +- src/gallium/drivers/asahi/agx_state.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.pick_status.json b/.pick_status.json index cefcafbc67b..b2524ee2d35 100644 --- a/.pick_status.json +++ b/.pick_status.json @@ -7774,7 +7774,7 @@ "description": "asahi,agx: Fix stack buffer overflow in agx_link_varyings_vs_fs", "nominated": true, "nomination_type": 1, - "resolution": 0, + "resolution": 1, "main_sha": null, "because_sha": "f3877f56ba7915ee6bc6866c0f4dc21881a3f5fb", "notes": null diff --git a/src/gallium/drivers/asahi/agx_state.c b/src/gallium/drivers/asahi/agx_state.c index 98d063f836d..bcd3357fccf 100644 --- a/src/gallium/drivers/asahi/agx_state.c +++ b/src/gallium/drivers/asahi/agx_state.c @@ -1383,8 +1383,8 @@ agx_link_varyings_vs_fs(struct agx_pool *pool, struct agx_varyings_vs *vs, /* I don't understand why the data structures are repeated thrice */ for (unsigned i = 0; i < 3; ++i) { - memcpy(((uint8_t *)ptr.cpu) + (i * linkage_size), - ((uint8_t *)tmp) + (i * linkage_size), linkage_size); + memcpy(((uint8_t *)ptr.cpu) + (i * linkage_size), (uint8_t *)tmp, + linkage_size); } return ptr.gpu;