> What I'm not sure about is if this is actually a security issue or if this is just a bug -- is there actually a security boundary that is being breached?
I believe that this is a security issue, which causes OOB writing in the vrend_set_single_ssbo():
Hi Seth Arnold,
> What I'm not sure about is if this is actually a security issue or if this is just a bug -- is there actually a security boundary that is being breached?
I believe that this is a security issue, which causes OOB writing in the vrend_set_ single_ ssbo():
2973 void vrend_set_ single_ ssbo(struct vrend_context *ctx, SHADER_ BUFFERS */ >ssbo[shader_ type][index] ; feat_ssbo) ) ctx_res_ lookup( ctx, handle); context_ error(ctx, VIRGL_ERROR_ CTX_ILLEGAL_ RESOURCE, handle); >ssbo_used_ mask[shader_ type] |= (1u << index);
2974 uint32_t shader_type,
2975 uint32_t index,
2976 uint32_t offset, uint32_t length,
2977 uint32_t handle)
2978 {
/* OOB, index > PIPE_MAX_
2979 struct vrend_ssbo *ssbo = &ctx->sub-
2980 struct vrend_resource *res;
2981
2982 if (!has_feature(
2983 return;
2984
2985 if (handle) {
2986 res = vrend_renderer_
2987 if (!res) {
2988 report_
2989 return;
2990 }
/* OOB writing */
2991 ssbo->res = res;
2992 ssbo->buffer_offset = offset;
2993 ssbo->buffer_size = length;
2994 ctx->sub-
2995 }