asahi: Fix use-after-free in shader key (!15109) · Merge requests · Mesa / mesa

Alyssa Rosenzweig requested to merge asahi/mesa:bugfix into main Feb 21, 2022

We need to take ownership of shader keys before we can insert them into the hash table. Caught by ASan.

==6343==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016bc51410 at pc 0x00010498d6cc bp 0x00016bc50240 sp 0x00016bc4f9d0 READ of size 592 at 0x00016bc51410 thread T0 #0 0x10498d6c8 in MemcmpInterceptorCommon(void*, int ()(void const, void const*, unsigned long), void const*, void const*, unsigned long)+0x208 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x196c8) #1 (closed) 0x10498da08 in wrap_memcmp+0x98 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x19a08) #2 (closed) 0x10b7f3f18 in asahi_shader_key_equal agx_state.c:867 #3 (closed) 0x10a482e7c in hash_table_search hash_table.c:325 #4 (closed) 0x10b7f4e94 in agx_update_shader agx_state.c:899 #5 (closed) 0x10b7f0dc4 in agx_draw_vbo agx_state.c:1590 #6 (closed) 0x10a7c28c4 in u_vbuf_draw_vbo u_vbuf.c:1498 #7 (closed) 0x10a5db03c in cso_multi_draw cso_context.c:1639 #8 (closed) 0x10aed03d0 in _mesa_validated_drawrangeelements draw.c:1812 #9 (closed) 0x10aed08d4 in _mesa_DrawElements draw.c:1945

Signed-off-by: Alyssa Rosenzweig alyssa@rosenzweig.io

Admin message

asahi: Fix use-after-free in shader key

Merge request reports