From b416152cb95949ca372a2b2fbe0f3fd37722f2bc Mon Sep 17 00:00:00 2001 From: Jeroen Bakker Date: Tue, 3 Jun 2025 08:37:48 +0200 Subject: [PATCH] Vulkan: Only load layers that we trust This PR changes loading of implicit vulkan layers. See #139543 where we detected that there are vulkan layers installed on systems that try to impersonate other software, but crashes when used in Blender. --- source/blender/gpu/vulkan/vk_backend.cc | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/source/blender/gpu/vulkan/vk_backend.cc b/source/blender/gpu/vulkan/vk_backend.cc index f0c958c7162..76ed9cd2062 100644 --- a/source/blender/gpu/vulkan/vk_backend.cc +++ b/source/blender/gpu/vulkan/vk_backend.cc @@ -10,6 +10,7 @@ #include "GHOST_C-api.h" +#include "BLI_path_utils.hh" #include "BLI_threads.h" #include "CLG_log.h" @@ -166,6 +167,25 @@ bool VKBackend::is_supported() { CLG_logref_init(&LOG); + /* + * Disable implicit layers and only allow layers that we trust. + * + * Render doc layer is hidden behind a debug flag. There are malicious layers that impersonate + * renderdoc and can crash when loaded. See #139543 + */ + std::stringstream allowed_layers; + allowed_layers << "VK_LAYER_KHRONOS_*"; + allowed_layers << ",VK_LAYER_AMD_*"; + allowed_layers << ",VK_LAYER_INTEL_*"; + allowed_layers << ",VK_LAYER_NVIDIA_*"; + allowed_layers << ",VK_LAYER_MESA_*"; + if (bool(G.debug & G_DEBUG_GPU)) { + allowed_layers << ",VK_LAYER_LUNARG_*"; + allowed_layers << ",VK_LAYER_RENDERDOC_*"; + } + BLI_setenv("VK_LOADER_LAYERS_DISABLE", "~implicit~"); + BLI_setenv("VK_LOADER_LAYERS_ALLOW", allowed_layers.str().c_str()); + /* Initialize an vulkan 1.2 instance. */ VkApplicationInfo vk_application_info = {VK_STRUCTURE_TYPE_APPLICATION_INFO}; vk_application_info.pApplicationName = "Blender";