From mboxrd@z Thu Jan 1 00:00:00 1970 From: bugzilla-daemon@freedesktop.org Subject: [Bug 65968] Massive memory corruption in Planetary Annihilation Alpha Date: Tue, 14 Feb 2017 17:50:21 +0000 Message-ID: References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0224194823==" Return-path: Received: from culpepper.freedesktop.org (culpepper.freedesktop.org [IPv6:2610:10:20:722:a800:ff:fe98:4b55]) by gabe.freedesktop.org (Postfix) with ESMTP id 80D446E7BB for ; Tue, 14 Feb 2017 17:50:21 +0000 (UTC) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: dri-devel@lists.freedesktop.org List-Id: dri-devel@lists.freedesktop.org --===============0224194823== Content-Type: multipart/alternative; boundary="14870946211.A5f2C5d5f.9947"; charset="UTF-8" --14870946211.A5f2C5d5f.9947 Date: Tue, 14 Feb 2017 17:50:21 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://bugs.freedesktop.org/ Auto-Submitted: auto-generated https://bugs.freedesktop.org/show_bug.cgi?id=3D65968 Andreas Ringlstetter changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |INVALID --- Comment #12 from Andreas Ringlstetter = --- It's a bug in PA itself, not in Mesa. The root cause is a race condition on the shared buffer which is used to transfer the rendered HTML UI from the Coherent host process back to PA. There is a missing mutex inside PA when the buffer gets reallocated as a re= sult of a window resize event. Effectively, this results in a use-after-free by = the render thread of the PA process. The faster the realloc, the lower the chance of this bug occurring. It's also subject to possibly missing protections against use after free conditions on previously shared buffers. And also to the memory allocation strategy, as a reuse of the same memory region without a clear leads to the most visible effect. Unfortunately, various Mesa drivers so not wipe the video memory after a bu= ffer was returned to the global pool! --=20 You are receiving this mail because: You are the assignee for the bug.= --14870946211.A5f2C5d5f.9947 Date: Tue, 14 Feb 2017 17:50:21 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://bugs.freedesktop.org/ Auto-Submitted: auto-generated Andreas Ringlstetter changed bug 65968<= /a>
What Removed Added
Status NEW RESOLVED
Resolution --- INVALID

Commen= t # 12 on bug 65968<= /a> from Andreas Ringlstetter= 
It's a bug in PA itself, not in Mesa.

The root cause is a race condition on the shared buffer which is used to
transfer the rendered HTML UI from the Coherent host process back to PA.

There is a missing mutex inside PA when the buffer gets reallocated as a re=
sult
of a window resize event. Effectively, this results in a use-after-free by =
the
render thread of the PA process.

The faster the realloc, the lower the chance of this bug occurring.
It's also subject to possibly missing protections against use after free
conditions on previously shared buffers. And also to the memory allocation
strategy, as a reuse of the same memory region without a clear leads to the
most visible effect.

Unfortunately, various Mesa drivers so not wipe the video memory after a bu=
ffer
was returned to the global pool!

You are receiving this mail because:
  • You are the assignee for the bug.
= --14870946211.A5f2C5d5f.9947-- --===============0224194823== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KZHJpLWRldmVs IG1haWxpbmcgbGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRlc2t0b3Aub3JnCmh0dHBzOi8vbGlz dHMuZnJlZWRlc2t0b3Aub3JnL21haWxtYW4vbGlzdGluZm8vZHJpLWRldmVsCg== --===============0224194823==--