lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <7bd0d514-efc6-8118-0b28-dfa0bcf5d842@gmail.com>
Date:   Tue, 15 Jun 2021 10:15:29 +0800
From:   Desmond Cheong Zhi Xi <desmondcheongzx@...il.com>
To:     Emil Velikov <emil.l.velikov@...il.com>
Cc:     Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
        Maxime Ripard <mripard@...nel.org>,
        Thomas Zimmermann <tzimmermann@...e.de>,
        Dave Airlie <airlied@...ux.ie>,
        Daniel Vetter <daniel@...ll.ch>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        "Linux-Kernel@...r. Kernel. Org" <linux-kernel@...r.kernel.org>,
        ML dri-devel <dri-devel@...ts.freedesktop.org>,
        Daniel Vetter <daniel.vetter@...ll.ch>,
        skhan@...uxfoundation.org,
        linux-kernel-mentees@...ts.linuxfoundation.org
Subject: Re: [PATCH 2/2] drm: Protect drm_master pointers in drm_lease.c

On 15/6/21 3:41 am, Emil Velikov wrote:
> On Sat, 12 Jun 2021 at 13:55, Desmond Cheong Zhi Xi
> <desmondcheongzx@...il.com> wrote:
>>
>> This patch ensures that the device's master mutex is acquired before
>> accessing pointers to struct drm_master that are subsequently
>> dereferenced. Without the mutex, the struct drm_master may be freed
>> concurrently by another process calling drm_setmaster_ioctl(). This
>> could then lead to use-after-free errors.
>>
>> Reported-by: Daniel Vetter <daniel.vetter@...ll.ch>
>> Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@...il.com>
>> ---
> 
> <snip>
> 
>> @@ -578,6 +594,7 @@ int drm_mode_create_lease_ioctl(struct drm_device *dev,
>>          /* Hook up the fd */
>>          fd_install(fd, lessee_file);
>>
>> +       mutex_unlock(&dev->master_mutex);
> 
> I was going to suggest pushing the unlock call further up - after the
> drm_lease_create call. Although that would make the error path rather
> messy, so let's keep it as-is.
> 
> <snip>
> 
>> @@ -662,7 +684,7 @@ int drm_mode_get_lease_ioctl(struct drm_device *dev,
>>          struct drm_mode_get_lease *arg = data;
>>          __u32 __user *object_ids = (__u32 __user *) (uintptr_t) (arg->objects_ptr);
>>          __u32 count_objects = arg->count_objects;
>> -       struct drm_master *lessee = lessee_priv->master;
>> +       struct drm_master *lessee;
>>          struct idr *object_idr;
>>          int count;
>>          void *entry;
>> @@ -678,8 +700,10 @@ int drm_mode_get_lease_ioctl(struct drm_device *dev,
>>
>>          DRM_DEBUG_LEASE("get lease for %d\n", lessee->lessee_id);
>>
>> +       mutex_lock(&dev->master_mutex);
> 
> As-is we're dereferencing an uninitialised pointer in DRM_DEBUG_LEASE.
> Move the lock and assignment before the DRM_DEBUG_LEASE, just like
> you've done in the list ioctl.
> 
> With this fix, the patch is;
> Reviewed-by: Emil Velikov <emil.l.velikov@...il.com>
> 
> -Emil
> 


Good catch, thanks for the feedback Emil. I'll fix this up in a v2 patchset.

Best wishes,
Desmond

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ