Crash in libegl-mesa0 due to out of bound array access

18.0.x series is done, this would need to be added as a distro patch

Sorry, I couldn't understand what do you mean by distro patch. Do you mean it needs to be applied as patch over the current version of libegl-mesa0 in Bionic and libegl-mesa0 generated with this patch needs to come as upgrade in Bionic (i.e when I do apt-get upgrade) ? thanks!

Yes. Problem is that bionic-proposed already has 18.0.5 staged for the 18.04.1 update, so adding more would delay getting that update.

Is there a way to reproduce this bug? How common is it? I'm wondering if it should be skipped for now and provided via backport from cosmic after 18.10 is released..

Crash can be reproduced by simple test application which does e.g. :
main()
{
   eglGetProcAddress("egl148546488546404");
}

The problem is in the search algorithm used in mesa to look for the name passed to eglGetProcAddress. So crash can reproduce with other names as well. Please note that this bug will affect even though mesa driver is actually not getting used. GLVD tries to load drivers from all vendors listed in "/usr/share/glvnd/egl_vendor.d/". As a work around "/usr/share/glvnd/egl_vendor.d/50_mesa.json" needs to be removed for using EGL driver from other vendors e.g. nvidia.

This bug was fixed in the package mesa - 18.1.1-1ubuntu1

---------------
mesa (18.1.1-1ubuntu1) cosmic; urgency=medium

  * Merge from Debian.
  * glvnd-fix-a-segfault-in-eglgetprocaddess.diff: Backport a commit to
    fix a segfault. (LP: #1776499)

 -- Timo Aaltonen <email address hidden> Wed, 13 Jun 2018 12:10:21 +0300

Hi Timo,
Is the fix for this issue likely to backported to Bionic ?

yes, but not before the current version in -proposed has migrated to -updates

Hi Timo,
It seems -proposed "18.0.5-0ubuntu0~18.04.1" is migrated to -updates. So, is it possible to fix this in next version getting finalized for -updates ?

The next one will be based on mesa 18.2.x from 18.10

please test 18.2.2 from bionic-proposed

Before using libegl-mesa0 from bionic-proposed:
$ apt-cache policy libegl-mesa0
libegl-mesa0:
  Installed: 18.0.5-0ubuntu0~18.04.1
  Candidate: 18.0.5-0ubuntu0~18.04.1
  Version table:
 *** 18.0.5-0ubuntu0~18.04.1 100
        100 /var/lib/dpkg/status
$ cat main.c
main()
{
   eglGetProcAddress("egl148546488546404");
}
$ gcc main.c -lEGL
$ ./a.out
Segmentation fault (core dumped)

After upgrading libegl-mesa0 to bionic-proposed:
$ apt-cache policy libegl-mesa0
libegl-mesa0:
  Installed: 18.2.2-0ubuntu1~18.04.1
  Candidate: 18.2.2-0ubuntu1~18.04.1
  Version table:
 *** 18.2.2-0ubuntu1~18.04.1 500
        500 http://ports.ubuntu.com/ubuntu-ports bionic-proposed/main arm64 Packages
        100 /var/lib/dpkg/status
     18.0.5-0ubuntu0~18.04.1 500
        500 http://ports.ubuntu.com/ubuntu-ports bionic-updates/main arm64 Packages
     18.0.0~rc5-1ubuntu1 500
        500 http://ports.ubuntu.com/ubuntu-ports bionic/main arm64 Packages
$ ./a.out
No crash

So I can confirm that the issues is fixed in bionic-proposed.

When it is expected libegl-mesa0 to move from bionic-proposed to bionic-updates ? thanks!

before 18.04.2 is released, which means before feb 7th unless it's delayed

thanks for verifying!

This bug was fixed in the package mesa - 18.2.2-0ubuntu1~18.04.1

---------------
mesa (18.2.2-0ubuntu1~18.04.1) bionic; urgency=medium

  * Backport for 18.04.2 HWE stack update. (LP: #1798597)
  * intel-whl-aml-cfl-ids.diff: Add missing i965 pci-id's (LP: #1789924)

 -- Timo Aaltonen <email address hidden> Thu, 29 Nov 2018 00:09:03 +0200

This issue is still happened using focal-update.

I checked below changelog for libegl-mesa0 package:

- https://packages.ubuntu.com/focal/libegl-mesa0
- https://packages.ubuntu.com/focal-updates/libegl-mesa0

And found the change is only existed in focal, but not in focal-update:

mesa (18.1.1-1ubuntu1) cosmic; urgency=medium

  * Merge from Debian.
  * glvnd-fix-a-segfault-in-eglgetprocaddess.diff: Backport a commit to
    fix a segfault. (LP: #1776499)

 -- Timo Aaltonen <email address hidden> Wed, 13 Jun 2018 12:10:21 +0300

Timo, can we also have this fix landed in focal-update?

huh, focal-updates has a much newer mesa which has that commit..

Hi Timo,

A similar crash is observed in mesa-egl and it is resolved in Mesa master branch. Please refer the bug: https://bugs.launchpad.net/mesa/+bug/1946621

Can you help backporting the fix to "Focal" series.