| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f9fa14c1-f487-4ad9-9bc9-7c1db6de1ae6@nvidia.com> Date: Mon, 7 Oct 2024 15:28:22 +0300 From: Yonatan Maman <ymaman@...dia.com> To: Danilo Krummrich <dakr@...nel.org> Cc: nouveau@...ts.freedesktop.org, Gal Shalom <GalShalom@...dia.com>, kherbst@...hat.com, lyude@...hat.com, dakr@...hat.com, airlied@...il.com, daniel@...ll.ch, dri-devel@...ts.freedesktop.org, nouveau@...ts.freedesktop.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 2/2] nouveau/dmem: Fix memory leak in `migrate_to_ram` upon copy error On 30/09/2024 14:20, Danilo Krummrich wrote: > External email: Use caution opening links or attachments > > > On Mon, Sep 23, 2024 at 01:54:58PM +0000, Yonatan Maman wrote: >> A copy push command might fail, causing `migrate_to_ram` to return a >> dirty HIGH_USER page to the user. >> >> This exposes a security vulnerability in the nouveau driver. To prevent >> memory leaks in `migrate_to_ram` upon a copy error, allocate a zero >> page for the destination page. > > So, you refer to the case where this function fails in nouveau_dmem_copy_one()? > > If so, can you please explain why adding __GFP_ZERO to alloc_page_vma() helps > with that? > The nouveau_dmem_copy_one function ensures that the copy push command is sent to the device firmware but does not track whether it was executed successfully. In the case of a copy error (e.g., firmware or hardware error), the command will be sent in the firmware channel, and nouveau_dmem_copy_one might succeed, as well as the migrate_to_ram function. Thus, a dirty page could be returned to the user. It’s important to note that we attempted to use nouveau_fence_wait status to handle migration errors, but it does not catch all error types. To avoid this vulnerability, we allocate a zero page. So that, in case of an error, a non-dirty (zero) page will be returned to the user. >> >> Signed-off-by: Yonatan Maman <Ymaman@...dia.com> >> Signed-off-by: Gal Shalom <GalShalom@...dia.com> > > Since this is a bug, please also add a 'Fixes' tag, CC stable and add a > 'Co-developed-by' tag if appropriate. sure, thanks, I will add, and push it as V2 patch-series. > >> --- >> drivers/gpu/drm/nouveau/nouveau_dmem.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/gpu/drm/nouveau/nouveau_dmem.c b/drivers/gpu/drm/nouveau/nouveau_dmem.c >> index 6fb65b01d778..097bd3af0719 100644 >> --- a/drivers/gpu/drm/nouveau/nouveau_dmem.c >> +++ b/drivers/gpu/drm/nouveau/nouveau_dmem.c >> @@ -193,7 +193,7 @@ static vm_fault_t nouveau_dmem_migrate_to_ram(struct vm_fault *vmf) >> if (!spage || !(src & MIGRATE_PFN_MIGRATE)) >> goto done; >> >> - dpage = alloc_page_vma(GFP_HIGHUSER, vmf->vma, vmf->address); >> + dpage = alloc_page_vma(GFP_HIGHUSER | __GFP_ZERO, vmf->vma, vmf->address); >> if (!dpage) >> goto done; >> >> -- >> 2.34.1 >>
Powered by blists - more mailing lists