VK-GL-CTS icon indicating copy to clipboard operation
VK-GL-CTS copied to clipboard

Published 20 hours ago verified publisher icon KhronosGroup

KHR-GL45.texture_view.view_classes accesses unknown memory

Open airlied opened this issue 4 years ago • 1 comments

I built the opengl cts with ASAN support as I was having some wierd issues with running it on llvmpipe swrast but it's uncovering a few things.

One of the tests does a GL_RGBA16F vs GL_RG32F comparison. However it ends up comparing past the end of the allocate XFB BO object.

I suspect the bo size allocation is wrong here, but I'm not fully sure what the test is trying to do to gauge that yet.

m_bo_size is 34842 33328 384 2 4 allocating bytes: 384 m view data offset 0x615000031b40, 0x615000031c40 256

==8970==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000031cf0 at pc 0x7f5f082a5f4d bp 0x7ffebe6d78c0 sp 0x7ffebe6d7068 READ of size 256 at 0x615000031cf0 thread T0 #0 0x7f5f082a5f4c (/usr/lib64/libasan.so.5+0xdaf4c) #1 0x8fd1af in gl4cts::TextureViewTestViewClasses::verifyResultData(unsigned int, unsigned int, unsigned char const*, unsigned char const*) (/home/airlied/devel/VK-GL-CTS/build/external/openglcts/modules/glcts+0x8fd1af) #2 0x8fcfdd in gl4cts::TextureViewTestViewClasses::iterate() (/home/airlied/devel/VK-GL-CTS/build/external/openglcts/modules/glcts+0x8fcfdd) #3 0x59a2e5 in gl3cts::TestCaseWrapper::iterate(tcu::TestCase*) (/home/airlied/devel/VK-GL-CTS/build/external/openglcts/modules/glcts+0x59a2e5) #4 0x2c8563b in tcu::TestSessionExecutor::iterateTestCase(tcu::TestCase*) (/home/airlied/devel/VK-GL-CTS/build/external/openglcts/modules/glcts+0x2c8563b) #5 0x2c84656 in tcu::TestSessionExecutor::iterate() (/home/airlied/devel/VK-GL-CTS/build/external/openglcts/modules/glcts+0x2c84656) #6 0x2c52e00 in tcu::App::iterate() (/home/airlied/devel/VK-GL-CTS/build/external/openglcts/modules/glcts+0x2c52e00) #7 0x589e67 in main (/home/airlied/devel/VK-GL-CTS/build/external/openglcts/modules/glcts+0x589e67) #8 0x7f5f07aa9f42 in __libc_start_main (/lib64/libc.so.6+0x23f42) #9 0x589c5d in _start (/home/airlied/devel/VK-GL-CTS/build/external/openglcts/modules/glcts+0x589c5d)

0x615000031cf0 is located 0 bytes to the right of 432-byte region [0x615000031b40,0x615000031cf0) allocated by thread T0 here: #0 0x7f5f082d9bf5 in __interceptor_posix_memalign (/usr/lib64/libasan.so.5+0x10ebf5) #1 0x7f5f03ab7132 in os_malloc_aligned (/opt/llvmnir/lib64/dri//swrast_dri.so+0x184f132) #2 0x7f5f03ab87a4 in llvmpipe_resource_create_front (/opt/llvmnir/lib64/dri//swrast_dri.so+0x18507a4) #3 0x7f5f03ab8903 in llvmpipe_resource_create (/opt/llvmnir/lib64/dri//swrast_dri.so+0x1850903) #4 0x7f5f02637e8f in st_bufferobj_data (/opt/llvmnir/lib64/dri//swrast_dri.so+0x3cfe8f) #5 0x7f5f028023a9 in buffer_data_error (/opt/llvmnir/lib64/dri//swrast_dri.so+0x59a3a9) #6 0x7f5f028028a7 in _mesa_buffer_data (/opt/llvmnir/lib64/dri//swrast_dri.so+0x59a8a7) #7 0x7f5f028029b4 in _mesa_BufferData (/opt/llvmnir/lib64/dri//swrast_dri.so+0x59a9b4) #8 0x8fb045 in gl4cts::TextureViewTestViewClasses::initBufferObject(unsigned int, unsigned int) (/home/airlied/devel/VK-GL-CTS/build/external/openglcts/modules/glcts+0x8fb045) #9 0x8fcd8d in gl4cts::TextureViewTestViewClasses::iterate() (/home/airlied/devel/VK-GL-CTS/build/external/openglcts/modules/glcts+0x8fcd8d) #10 0x59a2e5 in gl3cts::TestCaseWrapper::iterate(tcu::TestCase*) (/home/airlied/devel/VK-GL-CTS/build/external/openglcts/modules/glcts+0x59a2e5) #11 0x2c8563b in tcu::TestSessionExecutor::iterateTestCase(tcu::TestCase*) (/home/airlied/devel/VK-GL-CTS/build/external/openglcts/modules/glcts+0x2c8563b) #12 0x2c84656 in tcu::TestSessionExecutor::iterate() (/home/airlied/devel/VK-GL-CTS/build/external/openglcts/modules/glcts+0x2c84656) #13 0x2c52e00 in tcu::App::iterate() (/home/airlied/devel/VK-GL-CTS/build/external/openglcts/modules/glcts+0x2c52e00) #14 0x589e67 in main (/home/airlied/devel/VK-GL-CTS/build/external/openglcts/modules/glcts+0x589e67) #15 0x7f5f07aa9f42 in __libc_start_main (/lib64/libc.so.6+0x23f42)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib64/libasan.so.5+0xdaf4c)

airlied avatar May 26 '20 23:05 airlied

Looking at the BindBufferRange code, this also leads I think to possibly overlapped buffer ranges. /* Configure buffer object bindings for XFB / gl.bindBufferRange(GL_TRANSFORM_FEEDBACK_BUFFER, 0, / index for 'out_texture_data' / m_bo_id, 0, / offset / m_view_data_offset); / size / gl.bindBufferRange(GL_TRANSFORM_FEEDBACK_BUFFER, 1, / index for 'out_view_data' / m_bo_id, m_view_data_offset, / offset / m_bo_size - m_view_data_offset); / size */

if m_view_data_offset is incorrectly sized (as it suggests all components are float).

airlied avatar May 27 '20 00:05 airlied