lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <53a63ac8-f2de-91f7-4e0f-20b0f3f61d52@gmail.com>
Date:   Wed, 18 Aug 2021 23:37:08 +0800
From:   Desmond Cheong Zhi Xi <desmondcheongzx@...il.com>
To:     maarten.lankhorst@...ux.intel.com, mripard@...nel.org,
        tzimmermann@...e.de, airlied@...ux.ie, sumit.semwal@...aro.org,
        christian.koenig@....com, axboe@...nel.dk, oleg@...hat.com,
        tglx@...utronix.de, dvyukov@...gle.com, walter-zh.wu@...iatek.com,
        dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org,
        intel-gfx@...ts.freedesktop.org, linux-media@...r.kernel.org,
        linaro-mm-sig@...ts.linaro.org, skhan@...uxfoundation.org,
        gregkh@...uxfoundation.org,
        linux-kernel-mentees@...ts.linuxfoundation.org
Subject: Re: [PATCH v3 4/9] drm: fix potential null ptr dereferences in
 drm_{auth,ioctl}

On 18/8/21 6:11 pm, Daniel Vetter wrote:
> On Wed, Aug 18, 2021 at 03:38:19PM +0800, Desmond Cheong Zhi Xi wrote:
>> There are three areas where we dereference struct drm_master without
>> checking if the pointer is non-NULL.
>>
>> 1. drm_getmagic is called from the ioctl_handler. Since
>> DRM_IOCTL_GET_MAGIC has no ioctl flags, drm_getmagic is run without
>> any check that drm_file.master has been set.
>>
>> 2. Similarly, drm_getunique is called from the ioctl_handler, but
>> DRM_IOCTL_GET_UNIQUE has no ioctl flags. So there is no guarantee that
>> drm_file.master has been set.
> 
> I think the above two are impossible, due to the refcounting rules for
> struct file.
> 

Right, will drop those two parts from the patch.

>> 3. drm_master_release can also be called without having a
>> drm_file.master set. Here is one error path:
>>    drm_open():
>>      drm_open_helper():
>>        drm_master_open():
>>          drm_new_set_master(); <--- returns -ENOMEM,
>>                                     drm_file.master not set
>>        drm_file_free():
>>          drm_master_release(); <--- NULL ptr dereference
>>                                     (file_priv->master->magic_map)
>>
>> Fix these by checking if the master pointers are NULL before use.
>>
>> Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@...il.com>
>> ---
>>   drivers/gpu/drm/drm_auth.c  | 16 ++++++++++++++--
>>   drivers/gpu/drm/drm_ioctl.c |  5 +++++
>>   2 files changed, 19 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c
>> index f9267b21556e..b7230604496b 100644
>> --- a/drivers/gpu/drm/drm_auth.c
>> +++ b/drivers/gpu/drm/drm_auth.c
>> @@ -95,11 +95,18 @@ EXPORT_SYMBOL(drm_is_current_master);
>>   int drm_getmagic(struct drm_device *dev, void *data, struct drm_file *file_priv)
>>   {
>>   	struct drm_auth *auth = data;
>> +	struct drm_master *master;
>>   	int ret = 0;
>>   
>>   	mutex_lock(&dev->master_mutex);
>> +	master = file_priv->master;
>> +	if (!master) {
>> +		mutex_unlock(&dev->master_mutex);
>> +		return -EINVAL;
>> +	}
>> +
>>   	if (!file_priv->magic) {
>> -		ret = idr_alloc(&file_priv->master->magic_map, file_priv,
>> +		ret = idr_alloc(&master->magic_map, file_priv,
>>   				1, 0, GFP_KERNEL);
>>   		if (ret >= 0)
>>   			file_priv->magic = ret;
>> @@ -355,8 +362,12 @@ void drm_master_release(struct drm_file *file_priv)
>>   
>>   	mutex_lock(&dev->master_mutex);
>>   	master = file_priv->master;
>> +
>> +	if (!master)
>> +		goto unlock;
> 
> This is a bit convoluted, since we're in the single-threaded release path
> we don't need any locking for file_priv related things. Therefore we can
> pull the master check out and just directly return.
> 
> But since it's a bit surprising maybe a comment that this can happen when
> drm_master_open in drm_open_helper fails?
> 

Sounds good. This can actually also happen in the failure path of 
mock_drm_getfile if anon_inode_getfile fails. I'll leave a short note 
about both of them.

> Another option, and maybe cleaner, would be to move the drm_master_release
> from drm_file_free into drm_close_helper. That would be fully symmetrical
> and should also fix the bug here?
> -Daniel
> 
Hmmm maybe the first option to move the check out of the lock might be 
better. If I'm not wrong, we would otherwise also need to move 
drm_master_release into drm_client_close.

> 
>> +
>>   	if (file_priv->magic)
>> -		idr_remove(&file_priv->master->magic_map, file_priv->magic);
>> +		idr_remove(&master->magic_map, file_priv->magic);
>>   
>>   	if (!drm_is_current_master_locked(file_priv))
>>   		goto out;
>> @@ -379,6 +390,7 @@ void drm_master_release(struct drm_file *file_priv)
>>   		drm_master_put(&file_priv->master);
>>   		spin_unlock(&dev->master_lookup_lock);
>>   	}
>> +unlock:
>>   	mutex_unlock(&dev->master_mutex);
>>   }
>>   
>> diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c
>> index 26f3a9ede8fe..4d029d3061d9 100644
>> --- a/drivers/gpu/drm/drm_ioctl.c
>> +++ b/drivers/gpu/drm/drm_ioctl.c
>> @@ -121,6 +121,11 @@ int drm_getunique(struct drm_device *dev, void *data,
>>   
>>   	mutex_lock(&dev->master_mutex);
>>   	master = file_priv->master;
>> +	if (!master) {
>> +		mutex_unlock(&dev->master_mutex);
>> +		return -EINVAL;
>> +	}
>> +
>>   	if (u->unique_len >= master->unique_len) {
>>   		if (copy_to_user(u->unique, master->unique, master->unique_len)) {
>>   			mutex_unlock(&dev->master_mutex);
>> -- 
>> 2.25.1
>>
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ