From: "Thomas Hellström" <thomas.hellstrom@linux.intel.com>
To: Francois Dugast <francois.dugast@intel.com>
Cc: Daniel Vetter <daniel@ffwll.ch>,
dri-devel@lists.freedesktop.org,
Maxime Ripard <mripard@kernel.org>,
stable@vger.kernel.org, Thomas Zimmermann <tzimmermann@suse.de>,
David Airlie <airlied@gmail.com>,
intel-xe@lists.freedesktop.org
Subject: Re: [Intel-xe] [PATCH v3 1/2] drm/tests: helpers: Avoid a driver uaf
Date: Mon, 11 Sep 2023 15:04:34 +0200 [thread overview]
Message-ID: <aeaab7f9-547f-96ff-a17b-8507c5730b09@linux.intel.com> (raw)
In-Reply-To: <ZP8KuXoyS8RbRWws@fdugast-desk.home>
On 9/11/23 14:40, Francois Dugast wrote:
> On Thu, Sep 07, 2023 at 03:53:38PM +0200, Thomas Hellström wrote:
>> when using __drm_kunit_helper_alloc_drm_device() the driver may be
>> dereferenced by device-managed resources up until the device is
>> freed, which is typically later than the kunit-managed resource code
>> frees it. Fix this by simply make the driver device-managed as well.
>>
>> In short, the sequence leading to the UAF is as follows:
>>
>> INIT:
>> Code allocates a struct device as a kunit-managed resource.
>> Code allocates a drm driver as a kunit-managed resource.
>> Code allocates a drm device as a device-managed resource.
>>
>> EXIT:
>> Kunit resource cleanup frees the drm driver
>> Kunit resource cleanup puts the struct device, which starts a
>> device-managed resource cleanup
>> device-managed cleanup calls drm_dev_put()
>> drm_dev_put() dereferences the (now freed) drm driver -> Boom.
>>
>> Related KASAN message:
>> [55272.551542] ==================================================================
>> [55272.551551] BUG: KASAN: slab-use-after-free in drm_dev_put.part.0+0xd4/0xe0 [drm]
>> [55272.551603] Read of size 8 at addr ffff888127502828 by task kunit_try_catch/10353
>>
>> [55272.551612] CPU: 4 PID: 10353 Comm: kunit_try_catch Tainted: G U N 6.5.0-rc7+ #155
>> [55272.551620] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 0403 01/26/2021
>> [55272.551626] Call Trace:
>> [55272.551629] <TASK>
>> [55272.551633] dump_stack_lvl+0x57/0x90
>> [55272.551639] print_report+0xcf/0x630
>> [55272.551645] ? _raw_spin_lock_irqsave+0x5f/0x70
>> [55272.551652] ? drm_dev_put.part.0+0xd4/0xe0 [drm]
>> [55272.551694] kasan_report+0xd7/0x110
>> [55272.551699] ? drm_dev_put.part.0+0xd4/0xe0 [drm]
>> [55272.551742] drm_dev_put.part.0+0xd4/0xe0 [drm]
>> [55272.551783] devres_release_all+0x15d/0x1f0
>> [55272.551790] ? __pfx_devres_release_all+0x10/0x10
>> [55272.551797] device_unbind_cleanup+0x16/0x1a0
>> [55272.551802] device_release_driver_internal+0x3e5/0x540
>> [55272.551808] ? kobject_put+0x5d/0x4b0
>> [55272.551814] bus_remove_device+0x1f1/0x3f0
>> [55272.551819] device_del+0x342/0x910
>> [55272.551826] ? __pfx_device_del+0x10/0x10
>> [55272.551830] ? lock_release+0x339/0x5e0
>> [55272.551836] ? kunit_remove_resource+0x128/0x290 [kunit]
>> [55272.551845] ? __pfx_lock_release+0x10/0x10
>> [55272.551851] platform_device_del.part.0+0x1f/0x1e0
>> [55272.551856] ? _raw_spin_unlock_irqrestore+0x30/0x60
>> [55272.551863] kunit_remove_resource+0x195/0x290 [kunit]
>> [55272.551871] ? _raw_spin_unlock_irqrestore+0x30/0x60
>> [55272.551877] kunit_cleanup+0x78/0x120 [kunit]
>> [55272.551885] ? __kthread_parkme+0xc1/0x1f0
>> [55272.551891] ? __pfx_kunit_try_run_case_cleanup+0x10/0x10 [kunit]
>> [55272.551900] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [kunit]
>> [55272.551909] kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]
>> [55272.551919] kthread+0x2e7/0x3c0
>> [55272.551924] ? __pfx_kthread+0x10/0x10
>> [55272.551929] ret_from_fork+0x2d/0x70
>> [55272.551935] ? __pfx_kthread+0x10/0x10
>> [55272.551940] ret_from_fork_asm+0x1b/0x30
>> [55272.551948] </TASK>
>>
>> [55272.551953] Allocated by task 10351:
>> [55272.551956] kasan_save_stack+0x1c/0x40
>> [55272.551962] kasan_set_track+0x21/0x30
>> [55272.551966] __kasan_kmalloc+0x8b/0x90
>> [55272.551970] __kmalloc+0x5e/0x160
>> [55272.551976] kunit_kmalloc_array+0x1c/0x50 [kunit]
>> [55272.551984] drm_exec_test_init+0xfa/0x2c0 [drm_exec_test]
>> [55272.551991] kunit_try_run_case+0xdd/0x250 [kunit]
>> [55272.551999] kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]
>> [55272.552008] kthread+0x2e7/0x3c0
>> [55272.552012] ret_from_fork+0x2d/0x70
>> [55272.552017] ret_from_fork_asm+0x1b/0x30
>>
>> [55272.552024] Freed by task 10353:
>> [55272.552027] kasan_save_stack+0x1c/0x40
>> [55272.552032] kasan_set_track+0x21/0x30
>> [55272.552036] kasan_save_free_info+0x27/0x40
>> [55272.552041] __kasan_slab_free+0x106/0x180
>> [55272.552046] slab_free_freelist_hook+0xb3/0x160
>> [55272.552051] __kmem_cache_free+0xb2/0x290
>> [55272.552056] kunit_remove_resource+0x195/0x290 [kunit]
>> [55272.552064] kunit_cleanup+0x78/0x120 [kunit]
>> [55272.552072] kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]
>> [55272.552080] kthread+0x2e7/0x3c0
>> [55272.552085] ret_from_fork+0x2d/0x70
>> [55272.552089] ret_from_fork_asm+0x1b/0x30
>>
>> [55272.552096] The buggy address belongs to the object at ffff888127502800
>> which belongs to the cache kmalloc-512 of size 512
>> [55272.552105] The buggy address is located 40 bytes inside of
>> freed 512-byte region [ffff888127502800, ffff888127502a00)
>>
>> [55272.552115] The buggy address belongs to the physical page:
>> [55272.552119] page:00000000af6c70ff refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x127500
>> [55272.552127] head:00000000af6c70ff order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
>> [55272.552133] anon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
>> [55272.552141] page_type: 0xffffffff()
>> [55272.552145] raw: 0017ffffc0010200 ffff888100042c80 0000000000000000 dead000000000001
>> [55272.552152] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
>> [55272.552157] page dumped because: kasan: bad access detected
>>
>> [55272.552163] Memory state around the buggy address:
>> [55272.552167] ffff888127502700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> [55272.552173] ffff888127502780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> [55272.552178] >ffff888127502800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [55272.552184] ^
>> [55272.552187] ffff888127502880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [55272.552193] ffff888127502900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [55272.552198] ==================================================================
>> [55272.552203] Disabling lock debugging due to kernel taint
>>
>> v2:
>> - Update commit message, add Fixes: tag and Cc stable.
>> v3:
>> - Further commit message updates (Maxime Ripard).
>>
>> Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
>> Cc: Maxime Ripard <mripard@kernel.org>
>> Cc: Thomas Zimmermann <tzimmermann@suse.de>
>> Cc: David Airlie <airlied@gmail.com>
>> Cc: Daniel Vetter <daniel@ffwll.ch>
>> Cc: dri-devel@lists.freedesktop.org
>> Cc: <stable@vger.kernel.org> # v6.3+
>> Fixes: d98780310719 ("drm/tests: helpers: Allow to pass a custom drm_driver")
>> Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
> Reviewed-by: Francois Dugast <francois.dugast@intel.com>
Thanks for the R-B, Francois.
/Thomas
next prev parent reply other threads:[~2023-09-11 13:04 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-07 13:53 [Intel-xe] [PATCH v3 0/2] drm/tests: Fix for UAF and a test for drm_exec lock alloc tracking warning Thomas Hellström
2023-09-07 13:53 ` [Intel-xe] [PATCH v3 1/2] drm/tests: helpers: Avoid a driver uaf Thomas Hellström
2023-09-07 14:50 ` Maxime Ripard
2023-09-11 12:40 ` Francois Dugast
2023-09-11 13:04 ` Thomas Hellström [this message]
2023-09-14 11:59 ` [Intel-xe] (subset) " Maxime Ripard
2023-09-07 13:53 ` [Intel-xe] [PATCH v3 2/2] drm/tests/drm_exec: Add a test for object freeing within drm_exec_fini() Thomas Hellström
2023-09-07 14:52 ` Maxime Ripard
2023-09-07 14:37 ` [Intel-xe] [PATCH v3 0/2] drm/tests: Fix for UAF and a test for drm_exec lock alloc tracking warning Christian König
2023-09-07 14:47 ` Thomas Hellström
2023-09-07 14:49 ` Christian König
2023-09-08 7:37 ` Thomas Hellström
2023-09-08 8:52 ` Christian König
2023-09-08 9:04 ` Thomas Hellström
2023-09-08 9:14 ` Christian König
2023-09-08 11:13 ` Thomas Hellström
2023-09-08 14:31 ` Thomas Hellström
2023-09-07 23:49 ` [Intel-xe] ✓ CI.Patch_applied: success for " Patchwork
2023-09-07 23:49 ` [Intel-xe] ✗ CI.checkpatch: warning " Patchwork
2023-09-07 23:50 ` [Intel-xe] ✓ CI.KUnit: success " Patchwork
2023-09-07 23:57 ` [Intel-xe] ✓ CI.Build: " Patchwork
2023-09-07 23:57 ` [Intel-xe] ✓ CI.Hooks: " Patchwork
2023-09-07 23:59 ` [Intel-xe] ✓ CI.checksparse: " Patchwork
2023-09-08 0:30 ` [Intel-xe] ✓ CI.BAT: " Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aeaab7f9-547f-96ff-a17b-8507c5730b09@linux.intel.com \
--to=thomas.hellstrom@linux.intel.com \
--cc=airlied@gmail.com \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=francois.dugast@intel.com \
--cc=intel-xe@lists.freedesktop.org \
--cc=mripard@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox