VK-GL-CTS icon indicating copy to clipboard operation
VK-GL-CTS copied to clipboard
verified publisher icon KhronosGroup

Out-of-bounds read issue with dEQP-VK.robustness.buffer_access.through_pointers.graphics.reads.vertex.1B_in_memory_with_vec4_s32

Open sumcai opened this issue 2 years ago • 3 comments

I'm working on vulkan-cts-1.3.1 adaption test for a third party vendor. I find bad access(out of memory range) with function populateBufferWithCopy where src buffer size is 12 bytes but copy size is up to 4096. 4096 is returned by vkGetBufferMemoryRequirements and it may be diffrent on diffrent vendors. Anyway, memcpy should use the src buffer size.

Thread 1 "deqp-vk" hit Breakpoint 1, vkt::robustness::(anonymous namespace)::AccessInstance::AccessInstance (this=0x55555ca68990, context=..., device=...,
    shaderType=vkt::robustness::(anonymous namespace)::SHADER_TYPE_VECTOR_COPY, shaderStage=1, bufferFormat=vk::VK_FORMAT_R32_SINT,
    bufferAccessType=vkt::robustness::(anonymous namespace)::BUFFER_ACCESS_TYPE_READ_FROM_STORAGE, inBufferAccessRange=1, outBufferAccessRange=64,
    accessOutOfBackingMemory=false)
    at /home/VK-GL-CTS/external/vulkancts/modules/vulkan/robustness/vktRobustBufferAccessWithVariablePointersTests.cpp:1396
1396            createTestBuffer(vk, *m_device, 3 * sizeof(deInt32), VK_BUFFER_USAGE_UNIFORM_BUFFER_BIT, memAlloc, m_indicesBuffer, m_indicesBufferAlloc, indicesAccess, &populateBufferWithCopy, &indices);
(gdb) p sizeof(indices)
$1 = 12
(gdb) c
Continuing.

Thread 1 "deqp-vk" hit Breakpoint 3, vkt::robustness::(anonymous namespace)::createTestBuffer (deviceInterface=..., device=@0x55555ca689a0: 0x55555ca72ef0,
    accessRange=12, usage=16, allocator=..., buffer=..., bufferAlloc=..., data=...,
    fillBufferProc=0x555556cebda6 <vkt::robustness::(anonymous namespace)::populateBufferWithCopy(void*, vk::VkDeviceSize, void const*)>, blob=0x7fffffffd5c4)
    at /home/VK-GL-CTS/external/vulkancts/modules/vulkan/robustness/vktRobustBufferAccessWithVariablePointersTests.cpp:125
125             fillBufferProc(bufferAlloc->getHostPtr(), bufferMemoryReqs.size, blob);
(gdb) p  bufferMemoryReqs.size
$2 = 4096
(gdb) p  fillBufferProc
$3 = (vkt::robustness::(anonymous namespace)::FillBufferProcPtr) 0x555556cebda6 <vkt::robustness::(anonymous namespace)::populateBufferWithCopy(void*, vk::VkDeviceSize, void const*)>

sumcai avatar Sep 20 '23 03:09 sumcai

Feel free to submit a fix

AlexGalazin-IMG avatar Nov 01 '23 17:11 AlexGalazin-IMG