From: Matthew Brost <matthew.brost@intel.com>
To: "Thomas Hellström" <thomas.hellstrom@linux.intel.com>
Cc: <intel-xe@lists.freedesktop.org>,
Gustavo Sousa <gustavo.sousa@intel.com>,
Lucas De Marchi <lucas.demarchi@intel.com>,
Radhakrishna Sripada <radhakrishna.sripada@intel.com>,
Matt Roper <matthew.d.roper@intel.com>,
Rodrigo Vivi <rodrigo.vivi@intel.com>, <stable@vger.kernel.org>
Subject: Re: [PATCH] drm/xe/tracing: Fix a potential TP_printk UAF
Date: Mon, 23 Dec 2024 07:44:56 -0800 [thread overview]
Message-ID: <Z2mFePfn73Fugmrf@lstrano-desk.jf.intel.com> (raw)
In-Reply-To: <20241223134250.14345-1-thomas.hellstrom@linux.intel.com>
On Mon, Dec 23, 2024 at 02:42:50PM +0100, Thomas Hellström wrote:
> The commit
> afd2627f727b ("tracing: Check "%s" dereference via the field and not the TP_printk format")
> exposes potential UAFs in the xe_bo_move trace event.
>
> Fix those by avoiding dereferencing the
> xe_mem_type_to_name[] array at TP_printk time.
>
> Since some code refactoring has taken place, explicit backporting may
> be needed for kernels older than 6.10.
>
> Fixes: e46d3f813abd ("drm/xe/trace: Extract bo, vm, vma traces")
> Cc: Gustavo Sousa <gustavo.sousa@intel.com>
> Cc: Lucas De Marchi <lucas.demarchi@intel.com>
> Cc: Radhakrishna Sripada <radhakrishna.sripada@intel.com>
> Cc: Matt Roper <matthew.d.roper@intel.com>
> Cc: "Thomas Hellström" <thomas.hellstrom@linux.intel.com>
> Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
> Cc: intel-xe@lists.freedesktop.org
> Cc: <stable@vger.kernel.org> # v6.11+
> Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
> ---
> drivers/gpu/drm/xe/xe_trace_bo.h | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/gpu/drm/xe/xe_trace_bo.h b/drivers/gpu/drm/xe/xe_trace_bo.h
> index 1762dd30ba6d..ea50fee50c7d 100644
> --- a/drivers/gpu/drm/xe/xe_trace_bo.h
> +++ b/drivers/gpu/drm/xe/xe_trace_bo.h
> @@ -60,8 +60,8 @@ TRACE_EVENT(xe_bo_move,
> TP_STRUCT__entry(
> __field(struct xe_bo *, bo)
> __field(size_t, size)
> - __field(u32, new_placement)
> - __field(u32, old_placement)
> + __string(new_placement_name, xe_mem_type_to_name[new_placement])
> + __string(old_placement_name, xe_mem_type_to_name[old_placement])
> __string(device_id, __dev_name_bo(bo))
> __field(bool, move_lacks_source)
> ),
> @@ -69,15 +69,15 @@ TRACE_EVENT(xe_bo_move,
> TP_fast_assign(
> __entry->bo = bo;
> __entry->size = bo->size;
> - __entry->new_placement = new_placement;
> - __entry->old_placement = old_placement;
> + __assign_str(new_placement_name);
> + __assign_str(old_placement_name);
> __assign_str(device_id);
> __entry->move_lacks_source = move_lacks_source;
> ),
> TP_printk("move_lacks_source:%s, migrate object %p [size %zu] from %s to %s device_id:%s",
> __entry->move_lacks_source ? "yes" : "no", __entry->bo, __entry->size,
> - xe_mem_type_to_name[__entry->old_placement],
> - xe_mem_type_to_name[__entry->new_placement], __get_str(device_id))
So is this the UAF? i.e., The Xe module unloads and xe_mem_type_to_name
is gone?
I noticed that xe_mem_type_to_name is not static, it likely should be.
Would that help here?
Matt
> + __get_str(old_placement_name),
> + __get_str(new_placement_name), __get_str(device_id))
> );
>
> DECLARE_EVENT_CLASS(xe_vma,
> --
> 2.47.1
>
next prev parent reply other threads:[~2024-12-23 15:44 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-23 13:42 [PATCH] drm/xe/tracing: Fix a potential TP_printk UAF Thomas Hellström
2024-12-23 15:44 ` Matthew Brost [this message]
2024-12-23 16:33 ` Thomas Hellström
2025-01-01 13:25 ` Lucas De Marchi
2024-12-23 15:44 ` Cavitt, Jonathan
2024-12-23 15:56 ` Thomas Hellström
2024-12-23 17:04 ` Cavitt, Jonathan
2024-12-23 17:13 ` Thomas Hellström
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z2mFePfn73Fugmrf@lstrano-desk.jf.intel.com \
--to=matthew.brost@intel.com \
--cc=gustavo.sousa@intel.com \
--cc=intel-xe@lists.freedesktop.org \
--cc=lucas.demarchi@intel.com \
--cc=matthew.d.roper@intel.com \
--cc=radhakrishna.sripada@intel.com \
--cc=rodrigo.vivi@intel.com \
--cc=stable@vger.kernel.org \
--cc=thomas.hellstrom@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox