From ea54dea3a4cb137de39768ba9632ae53efc71fe5 Mon Sep 17 00:00:00 2001 From: Patrick Lerda Date: Fri, 9 Feb 2024 12:51:36 +0100 Subject: [PATCH] i915: fix emit_hw_vertex() unbounded memory access This change adds the DRAW_ATTR_NONEXIST functionality which fixes the memory access issue. For instance, this issue is triggered with "piglit/bin/glsl-routing -auto -fbo": ==8384==ERROR: AddressSanitizer: heap-use-after-free on address 0xa11dfd84 at pc 0xae573fbd bp 0xbf87f688 sp 0xbf87f67c READ of size 4 at 0xa11dfd84 thread T0 #0 0xae573fbc in emit_hw_vertex ../src/gallium/drivers/i915/i915_prim_emit.c:92 #1 0xae574ab0 in emit_prim ../src/gallium/drivers/i915/i915_prim_emit.c:154 #2 0xae574ab0 in setup_tri ../src/gallium/drivers/i915/i915_prim_emit.c:160 #3 0xad65d322 in do_triangle ../src/gallium/auxiliary/draw/draw_pipe.c:173 #4 0xad65d322 in pipe_run_linear ../src/gallium/auxiliary/draw/draw_decompose_tmp.h:181 #5 0xad663375 in draw_pipeline_run_linear ../src/gallium/auxiliary/draw/draw_pipe.c:337 #6 0xad86d9ac in pipeline ../src/gallium/auxiliary/draw/draw_pt_fetch_shade_pipeline_llvm.c:476 #7 0xad86d9ac in llvm_pipeline_generic ../src/gallium/auxiliary/draw/draw_pt_fetch_shade_pipeline_llvm.c:701 #8 0xad86ed75 in llvm_middle_end_linear_run ../src/gallium/auxiliary/draw/draw_pt_fetch_shade_pipeline_llvm.c:784 #9 0xad6aaaee in vsplit_segment_simple_linear ../src/gallium/auxiliary/draw/draw_pt_vsplit_tmp.h:223 #10 0xad6aaaee in vsplit_run_linear ../src/gallium/auxiliary/draw/draw_split_tmp.h:64 #11 0xad68a74b in draw_pt_arrays ../src/gallium/auxiliary/draw/draw_pt.c:161 #12 0xad68b7ca in draw_pt_arrays_restart ../src/gallium/auxiliary/draw/draw_pt.c:430 #13 0xad68b7ca in draw_instances ../src/gallium/auxiliary/draw/draw_pt.c:491 #14 0xad68ce0a in draw_vbo ../src/gallium/auxiliary/draw/draw_pt.c:628 #15 0xae5651d4 in i915_draw_vbo ../src/gallium/drivers/i915/i915_context.c:115 #16 0xae5651d4 in i915_draw_vbo ../src/gallium/drivers/i915/i915_context.c:51 #17 0xac7f50d3 in _mesa_draw_arrays ../src/mesa/main/draw.c:1204 Fixes: 247cee92df0e ("i915g: replace "uint" with normal uint32_t.") Signed-off-by: Patrick Lerda Part-of: --- src/gallium/drivers/i915/i915_prim_emit.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/gallium/drivers/i915/i915_prim_emit.c b/src/gallium/drivers/i915/i915_prim_emit.c index 787c38cbd9a..1d704b7c667 100644 --- a/src/gallium/drivers/i915/i915_prim_emit.c +++ b/src/gallium/drivers/i915/i915_prim_emit.c @@ -70,8 +70,10 @@ emit_hw_vertex(struct i915_context *i915, const struct vertex_header *vertex) assert(!i915->dirty); for (i = 0; i < vinfo->num_attribs; i++) { + static const float zeros[4] = {0., 0., 0., 0.}; const uint32_t j = vinfo->attrib[i].src_index; - const float *attrib = vertex->data[j]; + const float *attrib = + likely(j != DRAW_ATTR_NONEXIST) ? vertex->data[j] : zeros; switch (vinfo->attrib[i].emit) { case EMIT_1F: OUT_BATCH(fui(attrib[0]));