search

KhronosGroup / VK-GL-CTS

Khronos Vulkan, OpenGL, and OpenGL ES Conformance Tests
https://www.khronos.org/
Apache License 2.0
526 stars 294 forks source link

Out-of-bounds read issue with dEQP-VK.robustness.buffer_access.through_pointers.graphics.reads.vertex.1B_in_memory_with_vec4_s32 #417

Open sumcai opened 1 year ago

sumcai commented 1 year ago

I'm working on vulkan-cts-1.3.1 adaption test for a third party vendor. I find bad access(out of memory range) with function populateBufferWithCopy where src buffer size is 12 bytes but copy size is up to 4096. 4096 is returned by vkGetBufferMemoryRequirements and it may be diffrent on diffrent vendors. Anyway, memcpy should use the src buffer size. 

Thread 1 "deqp-vk" hit Breakpoint 1, vkt::robustness::(anonymous namespace)::AccessInstance::AccessInstance (this=0x55555ca68990, context=..., device=...,
    shaderType=vkt::robustness::(anonymous namespace)::SHADER_TYPE_VECTOR_COPY, shaderStage=1, bufferFormat=vk::VK_FORMAT_R32_SINT,
    bufferAccessType=vkt::robustness::(anonymous namespace)::BUFFER_ACCESS_TYPE_READ_FROM_STORAGE, inBufferAccessRange=1, outBufferAccessRange=64,
    accessOutOfBackingMemory=false)
    at /home/VK-GL-CTS/external/vulkancts/modules/vulkan/robustness/vktRobustBufferAccessWithVariablePointersTests.cpp:1396
1396            createTestBuffer(vk, *m_device, 3 * sizeof(deInt32), VK_BUFFER_USAGE_UNIFORM_BUFFER_BIT, memAlloc, m_indicesBuffer, m_indicesBufferAlloc, indicesAccess, &populateBufferWithCopy, &indices);
(gdb) p sizeof(indices)
$1 = 12
(gdb) c
Continuing.

Thread 1 "deqp-vk" hit Breakpoint 3, vkt::robustness::(anonymous namespace)::createTestBuffer (deviceInterface=..., device=@0x55555ca689a0: 0x55555ca72ef0,
    accessRange=12, usage=16, allocator=..., buffer=..., bufferAlloc=..., data=...,
    fillBufferProc=0x555556cebda6 <vkt::robustness::(anonymous namespace)::populateBufferWithCopy(void*, vk::VkDeviceSize, void const*)>, blob=0x7fffffffd5c4)
    at /home/VK-GL-CTS/external/vulkancts/modules/vulkan/robustness/vktRobustBufferAccessWithVariablePointersTests.cpp:125
125             fillBufferProc(bufferAlloc->getHostPtr(), bufferMemoryReqs.size, blob);
(gdb) p  bufferMemoryReqs.size
$2 = 4096
(gdb) p  fillBufferProc
$3 = (vkt::robustness::(anonymous namespace)::FillBufferProcPtr) 0x555556cebda6 <vkt::robustness::(anonymous namespace)::populateBufferWithCopy(void*, vk::VkDeviceSize, void const*)>
AlexGalazin-IMG commented 1 year ago

Feel free to submit a fix

sumcai commented 3 months ago

Feel free to submit a fix

https://github.com/KhronosGroup/VK-GL-CTS/pull/466 please review the patch

sumcai commented 2 months ago

Feel free to submit a fix

https://github.com/KhronosGroup/VK-GL-CTS/pull/481