From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 7261DEE7FF4 for ; Mon, 11 Sep 2023 13:04:42 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 26E5D10E2EA; Mon, 11 Sep 2023 13:04:42 +0000 (UTC) Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.65]) by gabe.freedesktop.org (Postfix) with ESMTPS id 21C8110E2E6; Mon, 11 Sep 2023 13:04:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1694437480; x=1725973480; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=N7RyjFY4JXr/KsKqEpCS2+CEYb9OMS1/yINXoHbeiKA=; b=jRxBzwC9oEZCXVNzEa5O0tH+e6fNsF9jRcDSh3KsmOnkroCf0JE/tZk6 TVG6HXooymy9kQs0LGMl34zHft5PSg8fcse76HLPN+d6h2TACLm5zfbV9 aChItYxrNvhQyQB2wiRuxi7so5dxMQ0d2+Q01oaVCxDFo8B16p86bsAzM BQhIrc9O99MGFsnLLU7S90YZyfmR3qkNJNcAMhXkc8rvmGKRGeLdypV9/ gX5n233kyQPWTSaH+B1MBUGtlzb7xL5SOD6HSM0a2I+LGrxtoelh/I8tP PiHuSQj0oJAK/XJg+rjBnNOfQd0d0D8ikZPnohx7KlY4Gng3TOvVJCmam g==; X-IronPort-AV: E=McAfee;i="6600,9927,10830"; a="381879253" X-IronPort-AV: E=Sophos;i="6.02,244,1688454000"; d="scan'208";a="381879253" Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Sep 2023 06:04:39 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10830"; a="866933657" X-IronPort-AV: E=Sophos;i="6.02,244,1688454000"; d="scan'208";a="866933657" Received: from lbinmo2x-mobl1.gar.corp.intel.com (HELO [10.249.254.187]) ([10.249.254.187]) by orsmga004-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Sep 2023 06:04:37 -0700 Message-ID: Date: Mon, 11 Sep 2023 15:04:34 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Content-Language: en-US To: Francois Dugast References: <20230907135339.7971-1-thomas.hellstrom@linux.intel.com> <20230907135339.7971-2-thomas.hellstrom@linux.intel.com> From: =?UTF-8?Q?Thomas_Hellstr=c3=b6m?= In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [Intel-xe] [PATCH v3 1/2] drm/tests: helpers: Avoid a driver uaf X-BeenThere: intel-xe@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Intel Xe graphics driver List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Daniel Vetter , dri-devel@lists.freedesktop.org, Maxime Ripard , stable@vger.kernel.org, Thomas Zimmermann , David Airlie , intel-xe@lists.freedesktop.org Errors-To: intel-xe-bounces@lists.freedesktop.org Sender: "Intel-xe" On 9/11/23 14:40, Francois Dugast wrote: > On Thu, Sep 07, 2023 at 03:53:38PM +0200, Thomas Hellström wrote: >> when using __drm_kunit_helper_alloc_drm_device() the driver may be >> dereferenced by device-managed resources up until the device is >> freed, which is typically later than the kunit-managed resource code >> frees it. Fix this by simply make the driver device-managed as well. >> >> In short, the sequence leading to the UAF is as follows: >> >> INIT: >> Code allocates a struct device as a kunit-managed resource. >> Code allocates a drm driver as a kunit-managed resource. >> Code allocates a drm device as a device-managed resource. >> >> EXIT: >> Kunit resource cleanup frees the drm driver >> Kunit resource cleanup puts the struct device, which starts a >> device-managed resource cleanup >> device-managed cleanup calls drm_dev_put() >> drm_dev_put() dereferences the (now freed) drm driver -> Boom. >> >> Related KASAN message: >> [55272.551542] ================================================================== >> [55272.551551] BUG: KASAN: slab-use-after-free in drm_dev_put.part.0+0xd4/0xe0 [drm] >> [55272.551603] Read of size 8 at addr ffff888127502828 by task kunit_try_catch/10353 >> >> [55272.551612] CPU: 4 PID: 10353 Comm: kunit_try_catch Tainted: G U N 6.5.0-rc7+ #155 >> [55272.551620] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 0403 01/26/2021 >> [55272.551626] Call Trace: >> [55272.551629] >> [55272.551633] dump_stack_lvl+0x57/0x90 >> [55272.551639] print_report+0xcf/0x630 >> [55272.551645] ? _raw_spin_lock_irqsave+0x5f/0x70 >> [55272.551652] ? drm_dev_put.part.0+0xd4/0xe0 [drm] >> [55272.551694] kasan_report+0xd7/0x110 >> [55272.551699] ? drm_dev_put.part.0+0xd4/0xe0 [drm] >> [55272.551742] drm_dev_put.part.0+0xd4/0xe0 [drm] >> [55272.551783] devres_release_all+0x15d/0x1f0 >> [55272.551790] ? __pfx_devres_release_all+0x10/0x10 >> [55272.551797] device_unbind_cleanup+0x16/0x1a0 >> [55272.551802] device_release_driver_internal+0x3e5/0x540 >> [55272.551808] ? kobject_put+0x5d/0x4b0 >> [55272.551814] bus_remove_device+0x1f1/0x3f0 >> [55272.551819] device_del+0x342/0x910 >> [55272.551826] ? __pfx_device_del+0x10/0x10 >> [55272.551830] ? lock_release+0x339/0x5e0 >> [55272.551836] ? kunit_remove_resource+0x128/0x290 [kunit] >> [55272.551845] ? __pfx_lock_release+0x10/0x10 >> [55272.551851] platform_device_del.part.0+0x1f/0x1e0 >> [55272.551856] ? _raw_spin_unlock_irqrestore+0x30/0x60 >> [55272.551863] kunit_remove_resource+0x195/0x290 [kunit] >> [55272.551871] ? _raw_spin_unlock_irqrestore+0x30/0x60 >> [55272.551877] kunit_cleanup+0x78/0x120 [kunit] >> [55272.551885] ? __kthread_parkme+0xc1/0x1f0 >> [55272.551891] ? __pfx_kunit_try_run_case_cleanup+0x10/0x10 [kunit] >> [55272.551900] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [kunit] >> [55272.551909] kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit] >> [55272.551919] kthread+0x2e7/0x3c0 >> [55272.551924] ? __pfx_kthread+0x10/0x10 >> [55272.551929] ret_from_fork+0x2d/0x70 >> [55272.551935] ? __pfx_kthread+0x10/0x10 >> [55272.551940] ret_from_fork_asm+0x1b/0x30 >> [55272.551948] >> >> [55272.551953] Allocated by task 10351: >> [55272.551956] kasan_save_stack+0x1c/0x40 >> [55272.551962] kasan_set_track+0x21/0x30 >> [55272.551966] __kasan_kmalloc+0x8b/0x90 >> [55272.551970] __kmalloc+0x5e/0x160 >> [55272.551976] kunit_kmalloc_array+0x1c/0x50 [kunit] >> [55272.551984] drm_exec_test_init+0xfa/0x2c0 [drm_exec_test] >> [55272.551991] kunit_try_run_case+0xdd/0x250 [kunit] >> [55272.551999] kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit] >> [55272.552008] kthread+0x2e7/0x3c0 >> [55272.552012] ret_from_fork+0x2d/0x70 >> [55272.552017] ret_from_fork_asm+0x1b/0x30 >> >> [55272.552024] Freed by task 10353: >> [55272.552027] kasan_save_stack+0x1c/0x40 >> [55272.552032] kasan_set_track+0x21/0x30 >> [55272.552036] kasan_save_free_info+0x27/0x40 >> [55272.552041] __kasan_slab_free+0x106/0x180 >> [55272.552046] slab_free_freelist_hook+0xb3/0x160 >> [55272.552051] __kmem_cache_free+0xb2/0x290 >> [55272.552056] kunit_remove_resource+0x195/0x290 [kunit] >> [55272.552064] kunit_cleanup+0x78/0x120 [kunit] >> [55272.552072] kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit] >> [55272.552080] kthread+0x2e7/0x3c0 >> [55272.552085] ret_from_fork+0x2d/0x70 >> [55272.552089] ret_from_fork_asm+0x1b/0x30 >> >> [55272.552096] The buggy address belongs to the object at ffff888127502800 >> which belongs to the cache kmalloc-512 of size 512 >> [55272.552105] The buggy address is located 40 bytes inside of >> freed 512-byte region [ffff888127502800, ffff888127502a00) >> >> [55272.552115] The buggy address belongs to the physical page: >> [55272.552119] page:00000000af6c70ff refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x127500 >> [55272.552127] head:00000000af6c70ff order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 >> [55272.552133] anon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff) >> [55272.552141] page_type: 0xffffffff() >> [55272.552145] raw: 0017ffffc0010200 ffff888100042c80 0000000000000000 dead000000000001 >> [55272.552152] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 >> [55272.552157] page dumped because: kasan: bad access detected >> >> [55272.552163] Memory state around the buggy address: >> [55272.552167] ffff888127502700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >> [55272.552173] ffff888127502780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >> [55272.552178] >ffff888127502800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >> [55272.552184] ^ >> [55272.552187] ffff888127502880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >> [55272.552193] ffff888127502900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >> [55272.552198] ================================================================== >> [55272.552203] Disabling lock debugging due to kernel taint >> >> v2: >> - Update commit message, add Fixes: tag and Cc stable. >> v3: >> - Further commit message updates (Maxime Ripard). >> >> Cc: Maarten Lankhorst >> Cc: Maxime Ripard >> Cc: Thomas Zimmermann >> Cc: David Airlie >> Cc: Daniel Vetter >> Cc: dri-devel@lists.freedesktop.org >> Cc: # v6.3+ >> Fixes: d98780310719 ("drm/tests: helpers: Allow to pass a custom drm_driver") >> Signed-off-by: Thomas Hellström > Reviewed-by: Francois Dugast Thanks for the R-B, Francois. /Thomas