Compare commits
No commits in common. 'cs10' and 'c9' have entirely different histories.
@ -1 +1 @@
|
|||||||
SOURCES/pixman-0.43.4.tar.xz
|
SOURCES/pixman-0.40.0.tar.xz
|
||||||
|
@ -1 +1 @@
|
|||||||
678cdf71b2e48f773c5bdaa18555b4ca5eac5091 SOURCES/pixman-0.43.4.tar.xz
|
c625853be8a5369cece57ab7dba558ff739a6332 SOURCES/pixman-0.40.0.tar.xz
|
||||||
|
@ -0,0 +1,29 @@
|
|||||||
|
From a1f88e842e0216a5b4df1ab023caebe33c101395 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Matt Turner <mattst88@gmail.com>
|
||||||
|
Date: Wed, 2 Nov 2022 12:07:32 -0400
|
||||||
|
Subject: [PATCH] Avoid integer overflow leading to out-of-bounds write
|
||||||
|
|
||||||
|
Thanks to Maddie Stone and Google's Project Zero for discovering this
|
||||||
|
issue, providing a proof-of-concept, and a great analysis.
|
||||||
|
|
||||||
|
Closes: https://gitlab.freedesktop.org/pixman/pixman/-/issues/63
|
||||||
|
---
|
||||||
|
pixman/pixman-trap.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/pixman/pixman-trap.c b/pixman/pixman-trap.c
|
||||||
|
index 91766fd..7560405 100644
|
||||||
|
--- a/pixman/pixman-trap.c
|
||||||
|
+++ b/pixman/pixman-trap.c
|
||||||
|
@@ -74,7 +74,7 @@ pixman_sample_floor_y (pixman_fixed_t y,
|
||||||
|
|
||||||
|
if (f < Y_FRAC_FIRST (n))
|
||||||
|
{
|
||||||
|
- if (pixman_fixed_to_int (i) == 0x8000)
|
||||||
|
+ if (pixman_fixed_to_int (i) == 0xffff8000)
|
||||||
|
{
|
||||||
|
f = 0; /* saturate */
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -1,34 +0,0 @@
|
|||||||
From 3a32506877f925f9c27f72558f7f07fdb3092fc2 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Bill Roberts <bill.roberts@arm.com>
|
|
||||||
Date: Wed, 10 Jul 2024 12:18:02 -0500
|
|
||||||
Subject: [PATCH 1/2] arm: add include guards on header
|
|
||||||
|
|
||||||
Prevent double inclusion of header file.
|
|
||||||
|
|
||||||
Signed-off-by: Bill Roberts <bill.roberts@arm.com>
|
|
||||||
---
|
|
||||||
pixman/pixman-arm-asm.h | 4 ++++
|
|
||||||
1 file changed, 4 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/pixman/pixman-arm-asm.h b/pixman/pixman-arm-asm.h
|
|
||||||
index edf8e82..1fe40b3 100644
|
|
||||||
--- a/pixman/pixman-arm-asm.h
|
|
||||||
+++ b/pixman/pixman-arm-asm.h
|
|
||||||
@@ -25,6 +25,8 @@
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
+#ifndef PIXMAN_ARM_ASM_H
|
|
||||||
+#define PIXMAN_ARM_ASM_H
|
|
||||||
|
|
||||||
#include "pixman-config.h"
|
|
||||||
|
|
||||||
@@ -61,3 +63,5 @@
|
|
||||||
.endfunc
|
|
||||||
#endif
|
|
||||||
.endm
|
|
||||||
+
|
|
||||||
+#endif /* PIXMAN_ARM_ASM_H */
|
|
||||||
--
|
|
||||||
2.46.0
|
|
||||||
|
|
@ -1,280 +0,0 @@
|
|||||||
From 7ed0f8d04d56320b034f2e15ef7867c5724947e0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Bill Roberts <bill.roberts@arm.com>
|
|
||||||
Date: Thu, 18 Jul 2024 10:13:07 -0500
|
|
||||||
Subject: [PATCH 2/2] aarch64: support PAC and BTI
|
|
||||||
|
|
||||||
Enable Pointer Authentication Codes (PAC) and Branch Target
|
|
||||||
Identification (BTI) support for ARM 64 targets.
|
|
||||||
|
|
||||||
PAC works by signing the LR with either an A key or B key and verifying
|
|
||||||
the return address. There are quite a few instructions capable of doing
|
|
||||||
this, however, the Linux ARM ABI is to use hint compatible instructions
|
|
||||||
that can be safely NOP'd on older hardware and can be assembled and
|
|
||||||
linked with older binutils. This limits the instruction set to paciasp,
|
|
||||||
pacibsp, autiasp and autibsp. Instructions prefixed with pac are for
|
|
||||||
signing and instructions prefixed with aut are for signing. Both
|
|
||||||
instructions are then followed with an a or b to indicate which signing
|
|
||||||
key they are using. The keys can be controlled using
|
|
||||||
-mbranch-protection=pac-ret for the A key and
|
|
||||||
-mbranch-protection=pac-ret+b-key for the B key.
|
|
||||||
|
|
||||||
BTI works by marking all call and jump positions with bti c and bti
|
|
||||||
j instructions. If execution control transfers to an instruction other
|
|
||||||
than a BTI instruction, the execution is killed via SIGILL. Note that
|
|
||||||
to remove one instruction, the aforementioned pac instructions will
|
|
||||||
also work as a BTI landing pad for bti c usages.
|
|
||||||
|
|
||||||
For BTI to work, all object files linked for a unit of execution,
|
|
||||||
whether an executable or a library must have the GNU Notes section of
|
|
||||||
the ELF file marked to indicate BTI support. This is so loader/linkers
|
|
||||||
can apply the proper permission bits (PROT_BRI) on the memory region.
|
|
||||||
|
|
||||||
PAC can also be annotated in the GNU ELF notes section, but it's not
|
|
||||||
required for enablement, as interleaved PAC and non-pac code works as
|
|
||||||
expected since it's the callee that performs all the checking. The
|
|
||||||
linker follows the same rules as BTI for discarding the PAC flag from
|
|
||||||
the GNU Notes section.
|
|
||||||
|
|
||||||
Testing was done under the following CFLAGS and CXXFLAGS for all
|
|
||||||
combinations:
|
|
||||||
1. -mbranch-protection=none
|
|
||||||
2. -mbranch-protection=standard
|
|
||||||
3. -mbranch-protection=pac-ret
|
|
||||||
4. -mbranch-protection=pac-ret+b-key
|
|
||||||
5. -mbranch-protection=bti
|
|
||||||
|
|
||||||
Signed-off-by: Bill Roberts <bill.roberts@arm.com>
|
|
||||||
---
|
|
||||||
pixman/pixman-arm-asm.h | 43 ++++++++++++++++++++++++
|
|
||||||
pixman/pixman-arma64-neon-asm-bilinear.S | 1 +
|
|
||||||
pixman/pixman-arma64-neon-asm.S | 1 +
|
|
||||||
pixman/pixman-arma64-neon-asm.h | 32 +++++++++++++-----
|
|
||||||
4 files changed, 69 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/pixman/pixman-arm-asm.h b/pixman/pixman-arm-asm.h
|
|
||||||
index 1fe40b3..c13837c 100644
|
|
||||||
--- a/pixman/pixman-arm-asm.h
|
|
||||||
+++ b/pixman/pixman-arm-asm.h
|
|
||||||
@@ -30,6 +30,48 @@
|
|
||||||
|
|
||||||
#include "pixman-config.h"
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * References:
|
|
||||||
+ * - https://developer.arm.com/documentation/101028/0012/5--Feature-test-macros
|
|
||||||
+ * - https://github.com/ARM-software/abi-aa/blob/main/aaelf64/aaelf64.rst
|
|
||||||
+ */
|
|
||||||
+#if defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1
|
|
||||||
+ #define BTI_C hint 34 /* bti c: for calls, IE bl instructions */
|
|
||||||
+ #define GNU_PROPERTY_AARCH64_BTI 1 /* bit 0 GNU Notes is for BTI support */
|
|
||||||
+#else
|
|
||||||
+ #define BTI_C
|
|
||||||
+ #define GNU_PROPERTY_AARCH64_BTI 0
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#if defined(__ARM_FEATURE_PAC_DEFAULT)
|
|
||||||
+ #if __ARM_FEATURE_PAC_DEFAULT & 1
|
|
||||||
+ #define SIGN_LR hint 25 /* paciasp: sign with the A key */
|
|
||||||
+ #define VERIFY_LR hint 29 /* autiasp: verify with the b key */
|
|
||||||
+ #elif __ARM_FEATURE_PAC_DEFAULT & 2
|
|
||||||
+ #define SIGN_LR hint 27 /* pacibsp: sign with the b key */
|
|
||||||
+ #define VERIFY_LR hint 31 /* autibsp: verify with the b key */
|
|
||||||
+ #endif
|
|
||||||
+ #define GNU_PROPERTY_AARCH64_POINTER_AUTH 2 /* bit 1 GNU Notes is for PAC support */
|
|
||||||
+#else
|
|
||||||
+ #define SIGN_LR BTI_C
|
|
||||||
+ #define VERIFY_LR
|
|
||||||
+ #define GNU_PROPERTY_AARCH64_POINTER_AUTH 0
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+/* Add the BTI support to GNU Notes section for ASM files */
|
|
||||||
+#if GNU_PROPERTY_AARCH64_BTI != 0 || GNU_PROPERTY_AARCH64_POINTER_AUTH != 0
|
|
||||||
+ .pushsection .note.gnu.property, "a"; /* Start a new allocatable section */
|
|
||||||
+ .balign 8; /* align it on a byte boundry */
|
|
||||||
+ .long 4; /* size of "GNU\0" */
|
|
||||||
+ .long 0x10; /* size of descriptor */
|
|
||||||
+ .long 0x5; /* NT_GNU_PROPERTY_TYPE_0 */
|
|
||||||
+ .asciz "GNU";
|
|
||||||
+ .long 0xc0000000; /* GNU_PROPERTY_AARCH64_FEATURE_1_AND */
|
|
||||||
+ .long 4; /* Four bytes of data */
|
|
||||||
+ .long (GNU_PROPERTY_AARCH64_BTI|GNU_PROPERTY_AARCH64_POINTER_AUTH); /* BTI or PAC is enabled */
|
|
||||||
+ .long 0; /* padding for 8 byte alignment */
|
|
||||||
+ .popsection; /* end the section */
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
/* Supplementary macro for setting function attributes */
|
|
||||||
.macro pixman_asm_function_impl fname
|
|
||||||
@@ -42,6 +84,7 @@
|
|
||||||
.type \fname, %function
|
|
||||||
#endif
|
|
||||||
\fname:
|
|
||||||
+ SIGN_LR
|
|
||||||
.endm
|
|
||||||
|
|
||||||
.macro pixman_asm_function fname
|
|
||||||
diff --git a/pixman/pixman-arma64-neon-asm-bilinear.S b/pixman/pixman-arma64-neon-asm-bilinear.S
|
|
||||||
index 7303bdc..f11f8c8 100644
|
|
||||||
--- a/pixman/pixman-arma64-neon-asm-bilinear.S
|
|
||||||
+++ b/pixman/pixman-arma64-neon-asm-bilinear.S
|
|
||||||
@@ -812,6 +812,7 @@ pixman_asm_function \fname
|
|
||||||
mov sp, x29
|
|
||||||
ldp x29, x30, [sp], 16
|
|
||||||
.endif
|
|
||||||
+ VERIFY_LR
|
|
||||||
ret
|
|
||||||
|
|
||||||
.unreq OUT
|
|
||||||
diff --git a/pixman/pixman-arma64-neon-asm.S b/pixman/pixman-arma64-neon-asm.S
|
|
||||||
index 107c133..7329d4b 100644
|
|
||||||
--- a/pixman/pixman-arma64-neon-asm.S
|
|
||||||
+++ b/pixman/pixman-arma64-neon-asm.S
|
|
||||||
@@ -3541,6 +3541,7 @@ pixman_asm_function \fname
|
|
||||||
ldp x12, x13, [x29, -104]
|
|
||||||
mov sp, x29
|
|
||||||
ldp x29, x30, [sp], 16
|
|
||||||
+ VERIFY_LR
|
|
||||||
ret
|
|
||||||
|
|
||||||
.unreq OUT
|
|
||||||
diff --git a/pixman/pixman-arma64-neon-asm.h b/pixman/pixman-arma64-neon-asm.h
|
|
||||||
index 6aa6838..ec3d76f 100644
|
|
||||||
--- a/pixman/pixman-arma64-neon-asm.h
|
|
||||||
+++ b/pixman/pixman-arma64-neon-asm.h
|
|
||||||
@@ -47,6 +47,8 @@
|
|
||||||
* - maybe add an option to do reverse scanline processing
|
|
||||||
*/
|
|
||||||
|
|
||||||
+#include "pixman-arm-asm.h"
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* Bit flags for 'generate_composite_function' macro which are used
|
|
||||||
* to tune generated functions behavior.
|
|
||||||
@@ -232,14 +234,16 @@
|
|
||||||
asr TMP1, VX, #16
|
|
||||||
adds VX, VX, UNIT_X
|
|
||||||
bmi 55f
|
|
||||||
-5: subs VX, VX, SRC_WIDTH_FIXED
|
|
||||||
+5:
|
|
||||||
+ subs VX, VX, SRC_WIDTH_FIXED
|
|
||||||
bpl 5b
|
|
||||||
55:
|
|
||||||
add TMP1, \mem_operand, TMP1, lsl #1
|
|
||||||
asr TMP2, VX, #16
|
|
||||||
adds VX, VX, UNIT_X
|
|
||||||
bmi 55f
|
|
||||||
-5: subs VX, VX, SRC_WIDTH_FIXED
|
|
||||||
+5:
|
|
||||||
+ subs VX, VX, SRC_WIDTH_FIXED
|
|
||||||
bpl 5b
|
|
||||||
55:
|
|
||||||
add TMP2, \mem_operand, TMP2, lsl #1
|
|
||||||
@@ -247,7 +251,8 @@
|
|
||||||
asr TMP1, VX, #16
|
|
||||||
adds VX, VX, UNIT_X
|
|
||||||
bmi 55f
|
|
||||||
-5: subs VX, VX, SRC_WIDTH_FIXED
|
|
||||||
+5:
|
|
||||||
+ subs VX, VX, SRC_WIDTH_FIXED
|
|
||||||
bpl 5b
|
|
||||||
55:
|
|
||||||
add TMP1, \mem_operand, TMP1, lsl #1
|
|
||||||
@@ -255,7 +260,8 @@
|
|
||||||
asr TMP2, VX, #16
|
|
||||||
adds VX, VX, UNIT_X
|
|
||||||
bmi 55f
|
|
||||||
-5: subs VX, VX, SRC_WIDTH_FIXED
|
|
||||||
+5:
|
|
||||||
+ subs VX, VX, SRC_WIDTH_FIXED
|
|
||||||
bpl 5b
|
|
||||||
55:
|
|
||||||
add TMP2, \mem_operand, TMP2, lsl #1
|
|
||||||
@@ -265,14 +271,16 @@
|
|
||||||
asr TMP1, VX, #16
|
|
||||||
adds VX, VX, UNIT_X
|
|
||||||
bmi 55f
|
|
||||||
-5: subs VX, VX, SRC_WIDTH_FIXED
|
|
||||||
+5:
|
|
||||||
+ subs VX, VX, SRC_WIDTH_FIXED
|
|
||||||
bpl 5b
|
|
||||||
55:
|
|
||||||
add TMP1, \mem_operand, TMP1, lsl #2
|
|
||||||
asr TMP2, VX, #16
|
|
||||||
adds VX, VX, UNIT_X
|
|
||||||
bmi 55f
|
|
||||||
-5: subs VX, VX, SRC_WIDTH_FIXED
|
|
||||||
+5:
|
|
||||||
+ subs VX, VX, SRC_WIDTH_FIXED
|
|
||||||
bpl 5b
|
|
||||||
55:
|
|
||||||
add TMP2, \mem_operand, TMP2, lsl #2
|
|
||||||
@@ -312,7 +320,8 @@
|
|
||||||
asr TMP1, VX, #16
|
|
||||||
adds VX, VX, UNIT_X
|
|
||||||
bmi 55f
|
|
||||||
-5: subs VX, VX, SRC_WIDTH_FIXED
|
|
||||||
+5:
|
|
||||||
+ subs VX, VX, SRC_WIDTH_FIXED
|
|
||||||
bpl 5b
|
|
||||||
55:
|
|
||||||
add TMP1, \mem_operand, TMP1, lsl #1
|
|
||||||
@@ -322,7 +331,8 @@
|
|
||||||
mov TMP1, DUMMY
|
|
||||||
adds VX, VX, UNIT_X
|
|
||||||
bmi 55f
|
|
||||||
-5: subs VX, VX, SRC_WIDTH_FIXED
|
|
||||||
+5:
|
|
||||||
+ subs VX, VX, SRC_WIDTH_FIXED
|
|
||||||
bpl 5b
|
|
||||||
55:
|
|
||||||
add TMP1, \mem_operand, TMP1, lsl #2
|
|
||||||
@@ -917,6 +927,7 @@
|
|
||||||
ldr x28, [x29, -232]
|
|
||||||
mov sp, x29
|
|
||||||
ldp x29, x30, [sp], 16
|
|
||||||
+ VERIFY_LR
|
|
||||||
ret /* exit */
|
|
||||||
/*
|
|
||||||
* This is the start of the loop, designed to process images with small width
|
|
||||||
@@ -974,6 +985,7 @@
|
|
||||||
ldr x28, [x29, -232]
|
|
||||||
mov sp, x29
|
|
||||||
ldp x29, x30, [sp], 16
|
|
||||||
+ VERIFY_LR
|
|
||||||
ret /* exit */
|
|
||||||
|
|
||||||
.purgem fetch_src_pixblock
|
|
||||||
@@ -1155,6 +1167,7 @@
|
|
||||||
ldr x10, [x29, -96]
|
|
||||||
mov sp, x29
|
|
||||||
ldp x29, x30, [sp], 16
|
|
||||||
+ VERIFY_LR
|
|
||||||
ret /* exit */
|
|
||||||
.else
|
|
||||||
sub x29, x29, 64
|
|
||||||
@@ -1162,6 +1175,7 @@
|
|
||||||
ld1 {v12.8b, v13.8b, v14.8b, v15.8b}, [x29], 32
|
|
||||||
mov sp, x29
|
|
||||||
ldp x29, x30, [sp], 16
|
|
||||||
+ VERIFY_LR
|
|
||||||
ret /* exit */
|
|
||||||
.endif
|
|
||||||
800:
|
|
||||||
@@ -1180,6 +1194,7 @@
|
|
||||||
ldr x10, [x29, -88]
|
|
||||||
mov sp, x29
|
|
||||||
ldp x29, x30, [sp], 16
|
|
||||||
+ VERIFY_LR
|
|
||||||
ret /* exit */
|
|
||||||
|
|
||||||
.unreq DUMMY
|
|
||||||
@@ -1200,6 +1215,7 @@
|
|
||||||
ld1 {v12.8b, v13.8b, v14.8b, v15.8b}, [x29], 32
|
|
||||||
mov sp, x29
|
|
||||||
ldp x29, x30, [sp], 16
|
|
||||||
+ VERIFY_LR
|
|
||||||
ret /* exit */
|
|
||||||
|
|
||||||
.unreq DUMMY
|
|
||||||
--
|
|
||||||
2.46.0
|
|
||||||
|
|
Loading…
Reference in new issue