Bug 102552

Summary:	Null dereference due to not checking return value of util_format_description
Product:	Mesa	Reporter:	Pauk Denis <pauk.denis>
Component:	Drivers/Gallium/r600	Assignee:	Default DRI bug account <dri-devel>
Status:	RESOLVED FIXED	QA Contact:	Default DRI bug account <dri-devel>
Severity:	enhancement
Priority:	medium	CC:	pauk.denis
Version:	git
Hardware:	x86-64 (AMD64)
OS:	All
Whiteboard:
i915 platform:		i915 features:
Attachments:	gallium/{r600,radeonsi}: Fix segfault with color format Updated version with changes related only to *_supported functions. gallium/{r600,radeonsi}: Fix segfault with color format

Description Pauk Denis 2017-09-05 19:40:17 UTC

In case unsupported format util_format_description return NULL, and dereference will produce segffault.

Comment 1 Pauk Denis 2017-09-05 19:46:46 UTC

Created attachment 133978 [details] [review]
gallium/{r600,radeonsi}: Fix segfault with color format

Possible fix for r600/radionsi

Comment 2 Ilia Mirkin 2017-09-05 20:43:12 UTC

What format is this happening with? There should be a description for every format, maybe except PIPE_FORMAT_NONE.

Comment 3 Pauk Denis 2017-09-06 19:56:41 UTC

I have found this behaiviour because of error in my code when some time is_format_supported called with uninitialized value and had value > PIPE_FORMAT_COUNT. 

With check like:
-----
for(int i=0; i<PIPE_FORMAT_COUNT; i++) {
   pscreen->is_format_supported(pscreen, i, PIPE_TEXTURE_2D, 0, PIPE_BIND_SAMPLER_VIEW);
   }
-----

Such code has possible issues with: 73, 78, 79, 80, 81, 86 (holes in enum pipe_format).

Comment 4 Ilia Mirkin 2017-09-06 21:02:04 UTC

Oh interesting. I think some of those formats were removed recently. I wonder if such call sites should be fixed. Nouveau calls util_format_is_supported up high in is_format_supported, I suspect that gets it out of trouble.

Either way, is_format_supported or its callers should be fixed, not utility functions like util_format_get_first_non_void_channel.

Comment 5 Pauk Denis 2017-09-07 18:51:32 UTC

Created attachment 134056 [details] [review]
Updated version with changes related only to *_supported functions.

I have deleted all changes not realted to *_supported functions.

Change in src/gallium/auxiliary/util/u_format.c:util_format_is_supported - check that value of format in correct range (<PIPE_FORMAT_COUNT).

Changes in src/gallium/drivers/{r600,radeonsi} - check for holes in format values.

Comment 6 Pauk Denis 2017-09-10 14:25:54 UTC

Created attachment 134129 [details] [review]
gallium/{r600,radeonsi}: Fix segfault with color format

Fix radeonsi

Comment 7 Pauk Denis 2017-09-10 14:35:18 UTC

In 'si_is_sampler_format_supported': 'util_format_get_first_non_void_channel' - tried to check 'struct util_format_description' before 'si_translate_texformat' call so we have segfault before check.

Comment 8 Pauk Denis 2017-09-12 20:44:03 UTC

I have sent version patch to mesa-dev@lists.freedesktop.org.
 
https://patchwork.freedesktop.org/series/30086/

Comment 9 Pauk Denis 2017-09-14 05:19:53 UTC

Fixed in https://cgit.freedesktop.org/mesa/mesa/commit/?id=74d2456491fbd96eb3fb99cf8dd3595b223c2065

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.