From: "Wang, Zhi A" <zhi.a.wang@intel.com>
To: Zheng Wang <zyytlz.wz@163.com>
Cc: "alex000young@gmail.com" <alex000young@gmail.com>,
"security@kernel.org" <security@kernel.org>,
"intel-gvt-dev@lists.freedesktop.org"
<intel-gvt-dev@lists.freedesktop.org>,
"airlied@linux.ie" <airlied@linux.ie>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
"intel-gfx@lists.freedesktop.org"
<intel-gfx@lists.freedesktop.org>,
"hackerzheng666@gmail.com" <hackerzheng666@gmail.com>,
"dri-devel@lists.freedesktop.org"
<dri-devel@lists.freedesktop.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"1002992920@qq.com" <1002992920@qq.com>,
"airlied@gmail.com" <airlied@gmail.com>
Subject: Re: [Intel-gfx] [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
Date: Mon, 19 Dec 2022 08:22:01 +0000 [thread overview]
Message-ID: <11728bc1-7b59-1623-b517-d1a0d57eb275@intel.com> (raw)
In-Reply-To: <20221219075700.220058-1-zyytlz.wz@163.com>
On 12/19/2022 9:57 AM, Zheng Wang wrote:
> Hi Zhi,
>
> Thanks again for your reply and clear explaination about the function.
> I still have some doubt about the fix. Here is a invoke chain :
> ppgtt_populate_spt
> ->ppgtt_populate_shadow_entry
> ->split_2MB_gtt_entry
> As far as I'm concerned, when something error happens in DMA mapping,
> which will make intel_gvt_dma_map_guest_page return none-zero code,
> It will invoke ppgtt_invalidate_spt and call ppgtt_free_spt,which will
> finally free spt by kfree. But the caller doesn't notice that and frees
> spt by calling ppgtt_free_spt again. This is a typical UAF/Double Free
> vulnerability. So I think the key point is about how to handle spt properly.
> The handle newly allocated spt (aka sub_spt) is not the root cause of this
> issue. Could you please give me more advice about how to fix this security
> bug? Besides, I'm not sure if there are more similar problems in othe location.
>
> Best regards,
> Zheng Wang
>
I think it is a case-by-case thing. For example:
The current scenario in this function looks like below:
caller pass spt a
function
alloc spt b
something error
free spt a
return error
The problem is: the function wrongly frees the spt a instead free what
it allocates.
A proper fix should be:
caller pass spt a
function
alloc spt b
something error
*free spt b*
return error
Thanks,
Zhi.
next prev parent reply other threads:[~2022-12-19 8:22 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-18 19:24 [Intel-gfx] [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry Zheng Wang
2022-09-19 9:30 ` Jani Nikula
2022-09-19 9:55 ` Zheng Hacker
2022-09-21 9:13 ` Zheng Hacker
2022-09-28 3:33 ` [Intel-gfx] [PATCH] drm/i915/gvt: fix double free " Zheng Wang
2022-10-02 14:18 ` Greg KH
2022-10-03 4:36 ` Zheng Hacker
2022-10-06 16:58 ` [Intel-gfx] [PATCH v2] " Zheng Wang
2022-10-06 19:23 ` Greg KH
2022-10-07 0:39 ` Zheng Hacker
2022-10-07 1:37 ` [Intel-gfx] [PATCH v3] " Zheng Wang
2022-10-27 0:01 ` Dave Airlie
2022-10-27 3:26 ` Zheng Hacker
2022-10-27 5:12 ` Dave Airlie
2022-10-30 15:10 ` Zheng Hacker
2022-12-15 10:47 ` Joonas Lahtinen
2022-12-15 11:33 ` Wang, Zhi A
2022-12-15 13:26 ` Zheng Hacker
2022-12-19 7:57 ` Zheng Wang
2022-12-19 8:22 ` Wang, Zhi A [this message]
2022-12-19 9:21 ` Zheng Wang
2022-12-19 12:46 ` [Intel-gfx] [PATCH v4] [PATCH v4] " Zheng Wang
2022-12-19 12:52 ` [Intel-gfx] [RESEND PATCH " Zheng Wang
2022-12-20 8:22 ` Zhenyu Wang
2022-12-20 9:03 ` Zheng Hacker
2022-12-20 9:40 ` [Intel-gfx] [PATCH v5] " Zheng Wang
2022-12-21 2:58 ` Zhenyu Wang
2022-12-21 5:01 ` Zheng Hacker
2022-12-29 16:56 ` [Intel-gfx] [PATCH v6] " Zheng Wang
2022-09-19 20:17 ` [Intel-gfx] ✗ Fi.CI.BUILD: failure for drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev2) Patchwork
2022-09-29 18:16 ` [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev3) Patchwork
2022-09-29 18:40 ` [Intel-gfx] ✓ Fi.CI.BAT: success " Patchwork
2022-09-30 18:41 ` [Intel-gfx] ✓ Fi.CI.IGT: " Patchwork
2022-10-10 15:00 ` [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev5) Patchwork
2022-10-10 15:30 ` [Intel-gfx] ✗ Fi.CI.BAT: failure " Patchwork
2022-12-22 12:25 ` [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev8) Patchwork
2022-12-22 12:53 ` [Intel-gfx] ✓ Fi.CI.BAT: success " Patchwork
2022-12-22 18:13 ` [Intel-gfx] ✗ Fi.CI.IGT: failure " Patchwork
2022-12-29 17:57 ` [Intel-gfx] ✗ Fi.CI.BAT: failure for drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev9) Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=11728bc1-7b59-1623-b517-d1a0d57eb275@intel.com \
--to=zhi.a.wang@intel.com \
--cc=1002992920@qq.com \
--cc=airlied@gmail.com \
--cc=airlied@linux.ie \
--cc=alex000young@gmail.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=gregkh@linuxfoundation.org \
--cc=hackerzheng666@gmail.com \
--cc=intel-gfx@lists.freedesktop.org \
--cc=intel-gvt-dev@lists.freedesktop.org \
--cc=linux-kernel@vger.kernel.org \
--cc=security@kernel.org \
--cc=zyytlz.wz@163.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox