| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Ynu3DJJJV7TaSzfl@phenom.ffwll.local>
Date: Wed, 11 May 2022 15:15:56 +0200
From: Daniel Vetter <daniel@...ll.ch>
To: Javier Martinez Canillas <javierm@...hat.com>
Cc: Thomas Zimmermann <tzimmermann@...e.de>,
Andrzej Hajda <andrzej.hajda@...el.com>,
linux-kernel@...r.kernel.org, linux-fbdev@...r.kernel.org,
Daniel Vetter <daniel.vetter@...ll.ch>,
Helge Deller <deller@....de>, dri-devel@...ts.freedesktop.org,
Daniel Vetter <daniel.vetter@...el.com>
Subject: Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in
fb_release()
On Mon, May 09, 2022 at 10:00:41PM +0200, Javier Martinez Canillas wrote:
> Hello Thomas,
>
> On 5/9/22 20:32, Thomas Zimmermann wrote:
> > Hi
> >
> > Am 09.05.22 um 18:33 schrieb Javier Martinez Canillas:
> >> On 5/9/22 17:51, Andrzej Hajda wrote:
> >>
> >> [snip]
> >>
> >>>>>> +
> >>>>> Regarding drm:
> >>>>> What about drm_fb_helper_fini? It calls also framebuffer_release and is
> >>>>> called often from _remove paths (checked intel/radeon/nouveau). I guess
> >>>>> it should be fixed as well. Do you plan to fix it?
> >>>>>
> >>>> I think you are correct. Maybe we need something like the following?
> >>>>
> >>>> diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
> >>>> index d265a73313c9..b09598f7af28 100644
> >>>> --- a/drivers/gpu/drm/drm_fb_helper.c
> >>>> +++ b/drivers/gpu/drm/drm_fb_helper.c
> >>>> @@ -631,7 +631,6 @@ void drm_fb_helper_fini(struct drm_fb_helper *fb_helper)
> >>>> if (info) {
> >>>> if (info->cmap.len)
> >>>> fb_dealloc_cmap(&info->cmap);
> >>>> - framebuffer_release(info);
> >
> > After reviewing that code, drm_fb_helper_fini() appears to be called
> > from .fb_destroy (see drm_fbdev_release). The code is hard to follow
> > though. If there another way of releasing the framebuffer here?
> >
>
> Andrzej mentioned intel/radeon/nouveau as example, I only looked at i915
> and the call chain is the following as far as I can tell:
>
> struct pci_driver i915_pci_driver = {
> ...
> .remove = i915_pci_remove,
> ...
> };
>
>
> i915_driver_remove
> intel_modeset_driver_remove_noirq
> intel_fbdev_fini
> intel_fbdev_destroy
> drm_fb_helper_fini
> framebuffer_release
>
> So my underdestanding is that if a program has the emulated fbdev device
> opened and the i915 module is removed, then a use-after-free would be
> triggered on drm_fbdev_fb_destroy() once the program closes the device:
>
> drm_fbdev_fb_destroy
> drm_fbdev_release(info->par); <-- info was already freed on .remove
Yeah the old drivers that haven't switched over to the drm_client based
fbdev emulations are all kinds of wrong and release it too early.
Note that they don't use the provided ->remove hook, since that would
result in double-cleanup like you point out. Those old drivers work more
like all the other fbdev drivers where all the cleanup is done in
->remove, and if it's a real hotunplug you just die in fire :-/
Switching them all over to the drm_client based fbdev helpers and
unexporting these old (dangerous!) functions would be really neat. But
it's also a loooooot of work, and generally those big drivers don't get
hotunplugged.
-Daniel
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
Powered by blists - more mailing lists