Bug 102552 - Null dereference due to not checking return value of util_format_description
Summary: Null dereference due to not checking return value of util_format_description
Status: RESOLVED FIXED
Alias: None
Product: Mesa
Classification: Unclassified
Component: Drivers/Gallium/r600 (show other bugs)
Version: git
Hardware: x86-64 (AMD64) All
: medium enhancement
Assignee: Default DRI bug account
QA Contact: Default DRI bug account
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-05 19:40 UTC by Pauk Denis
Modified: 2017-09-14 05:19 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:

Attachments
gallium/{r600,radeonsi}: Fix segfault with color format (3.58 KB, patch)
2017-09-05 19:46 UTC, Pauk Denis 		Details | Splinter Review
Updated version with changes related only to *_supported functions. (3.16 KB, patch)
2017-09-07 18:51 UTC, Pauk Denis 		Details | Splinter Review
gallium/{r600,radeonsi}: Fix segfault with color format (3.69 KB, patch)
2017-09-10 14:25 UTC, Pauk Denis 		Details | Splinter Review
Show Obsolete (2) View All

Description Pauk Denis 2017-09-05 19:40:17 UTC 
In case unsupported format util_format_description return NULL, and dereference will produce segffault.
Comment 1 Pauk Denis 2017-09-05 19:46:46 UTC 
Created attachment 133978 [details] [review]
gallium/{r600,radeonsi}: Fix segfault with color format

Possible fix for r600/radionsi
Comment 2 Ilia Mirkin 2017-09-05 20:43:12 UTC 
What format is this happening with? There should be a description for every format, maybe except PIPE_FORMAT_NONE.
Comment 3 Pauk Denis 2017-09-06 19:56:41 UTC 
I have found this behaiviour because of error in my code when some time is_format_supported called with uninitialized value and had value > PIPE_FORMAT_COUNT. 

With check like:
-----
for(int i=0; i<PIPE_FORMAT_COUNT; i++) {
   pscreen->is_format_supported(pscreen, i, PIPE_TEXTURE_2D, 0, PIPE_BIND_SAMPLER_VIEW);
   }
-----

Such code has possible issues with: 73, 78, 79, 80, 81, 86 (holes in enum pipe_format).
Comment 4 Ilia Mirkin 2017-09-06 21:02:04 UTC 
Oh interesting. I think some of those formats were removed recently. I wonder if such call sites should be fixed. Nouveau calls util_format_is_supported up high in is_format_supported, I suspect that gets it out of trouble.

Either way, is_format_supported or its callers should be fixed, not utility functions like util_format_get_first_non_void_channel.
Comment 5 Pauk Denis 2017-09-07 18:51:32 UTC 
Created attachment 134056 [details] [review]
Updated version with changes related only to *_supported functions.

I have deleted all changes not realted to *_supported functions.

Change in src/gallium/auxiliary/util/u_format.c:util_format_is_supported - check that value of format in correct range (<PIPE_FORMAT_COUNT).

Changes in src/gallium/drivers/{r600,radeonsi} - check for holes in format values.
Comment 6 Pauk Denis 2017-09-10 14:25:54 UTC 
Created attachment 134129 [details] [review]
gallium/{r600,radeonsi}: Fix segfault with color format

Fix radeonsi
Comment 7 Pauk Denis 2017-09-10 14:35:18 UTC 
In 'si_is_sampler_format_supported': 'util_format_get_first_non_void_channel' - tried to check 'struct util_format_description' before 'si_translate_texformat' call so we have segfault before check.
Comment 8 Pauk Denis 2017-09-12 20:44:03 UTC 
I have sent version patch to mesa-dev@lists.freedesktop.org.
 
https://patchwork.freedesktop.org/series/30086/

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.