lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20210511163453.2343304-1-kherbst@redhat.com>
Date:   Tue, 11 May 2021 18:34:53 +0200
From:   Karol Herbst <kherbst@...hat.com>
To:     linux-kernel@...r.kernel.org
Cc:     Karol Herbst <kherbst@...hat.com>,
        Thierry Reding <treding@...dia.com>
Subject: [PATCH] nouveau/gem: fix user-after-free in nouveau_gem_new

If ttm_bo_init fails it will already call ttm_bo_put, so we don't have to
do it through nouveau_bo_ref.

==================================================================
BUG: KFENCE: use-after-free write in ttm_bo_put+0x11/0x40 [ttm]

Use-after-free write at 0x000000004dc4663c (in kfence-#44):
 ttm_bo_put+0x11/0x40 [ttm]
 nouveau_gem_new+0xc1/0xf0 [nouveau]
 nouveau_gem_ioctl_new+0x53/0xf0 [nouveau]
 drm_ioctl_kernel+0xb2/0x100 [drm]
 drm_ioctl+0x215/0x390 [drm]
 nouveau_drm_ioctl+0x55/0xa0 [nouveau]
 __x64_sys_ioctl+0x83/0xb0
 do_syscall_64+0x33/0x40
 entry_SYSCALL_64_after_hwframe+0x44/0xae

kfence-#44 [0x00000000c0593b31-0x000000002e74122b, size=792, cache=kmalloc-1k] allocated by task 2657:
 nouveau_bo_alloc+0x63/0x4c0 [nouveau]
 nouveau_gem_new+0x38/0xf0 [nouveau]
 nouveau_gem_ioctl_new+0x53/0xf0 [nouveau]
 drm_ioctl_kernel+0xb2/0x100 [drm]
 drm_ioctl+0x215/0x390 [drm]
 nouveau_drm_ioctl+0x55/0xa0 [nouveau]
 __x64_sys_ioctl+0x83/0xb0
 do_syscall_64+0x33/0x40
 entry_SYSCALL_64_after_hwframe+0x44/0xae

freed by task 2657:
 ttm_bo_release+0x1cc/0x300 [ttm]
 ttm_bo_init_reserved+0x2ec/0x300 [ttm]
 ttm_bo_init+0x5e/0xd0 [ttm]
 nouveau_bo_init+0xaf/0xc0 [nouveau]
 nouveau_gem_new+0x7f/0xf0 [nouveau]
 nouveau_gem_ioctl_new+0x53/0xf0 [nouveau]
 drm_ioctl_kernel+0xb2/0x100 [drm]
 drm_ioctl+0x215/0x390 [drm]
 nouveau_drm_ioctl+0x55/0xa0 [nouveau]
 __x64_sys_ioctl+0x83/0xb0
 do_syscall_64+0x33/0x40
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Fixes: 019cbd4a4feb3 "drm/nouveau: Initialize GEM object before TTM object"
Cc: Thierry Reding <treding@...dia.com>
Signed-off-by: Karol Herbst <kherbst@...hat.com>
---
 drivers/gpu/drm/nouveau/nouveau_gem.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
index c88cbb85f101..1165ff990fb5 100644
--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
@@ -212,7 +212,6 @@ nouveau_gem_new(struct nouveau_cli *cli, u64 size, int align, uint32_t domain,
 
 	ret = nouveau_bo_init(nvbo, size, align, domain, NULL, NULL);
 	if (ret) {
-		nouveau_bo_ref(NULL, &nvbo);
 		return ret;
 	}
 
-- 
2.31.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ