| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20190709065800.2354-1-janusz.krzysztofik@linux.intel.com>
Date: Tue, 9 Jul 2019 08:58:00 +0200
From: Janusz Krzysztofik <janusz.krzysztofik@...ux.intel.com>
To: Chris Wilson <chris@...is-wilson.co.uk>,
Michał Winiarski <michal.winiarski@...el.com>
Cc: Jani Nikula <jani.nikula@...ux.intel.com>,
Joonas Lahtinen <joonas.lahtinen@...ux.intel.com>,
Rodrigo Vivi <rodrigo.vivi@...el.com>,
David Airlie <airlied@...ux.ie>,
Daniel Vetter <daniel@...ll.ch>,
Michał Wajdeczko <michal.wajdeczko@...el.com>,
intel-gfx@...ts.freedesktop.org, dri-devel@...ts.freedesktop.org,
linux-kernel@...r.kernel.org,
Janusz Krzysztofik <janusz.krzysztofik@...ux.intel.com>
Subject: [PATCH] drm/i915: Fix reporting of size of created GEM object
Commit e163484afa8d ("drm/i915: Update size upon return from
GEM_CREATE") (re)introduced reporting of actual size of created GEM
objects, possibly rounded up on object alignment. Unfortunately, its
implementation resulted in a possible use-after-free bug. The bug has
been fixed by commit 929eec99f5fd ("drm/i915: Avoid use-after-free in
reporting create.size") at the cost of possibly incorrect value being
reported as actual object size.
Safely restore correct reporting by capturing actual size of created
GEM object before a reference to the object is put.
Fixes: 929eec99f5fd ("drm/i915: Avoid use-after-free in reporting create.size")
Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik@...ux.intel.com>
---
drivers/gpu/drm/i915/i915_gem.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index 7ade42b8ec99..16bae5870d6f 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -171,6 +171,7 @@ i915_gem_create(struct drm_file *file,
obj = i915_gem_object_create_shmem(dev_priv, size);
if (IS_ERR(obj))
return PTR_ERR(obj);
+ size = obj->base.size;
ret = drm_gem_handle_create(file, &obj->base, &handle);
/* drop reference from allocate - handle holds it now */
--
2.21.0
Powered by blists - more mailing lists