lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <f9fa14c1-f487-4ad9-9bc9-7c1db6de1ae6@nvidia.com>
Date: Mon, 7 Oct 2024 15:28:22 +0300
From: Yonatan Maman <ymaman@...dia.com>
To: Danilo Krummrich <dakr@...nel.org>
Cc: nouveau@...ts.freedesktop.org, Gal Shalom <GalShalom@...dia.com>,
 kherbst@...hat.com, lyude@...hat.com, dakr@...hat.com, airlied@...il.com,
 daniel@...ll.ch, dri-devel@...ts.freedesktop.org,
 nouveau@...ts.freedesktop.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/2] nouveau/dmem: Fix memory leak in `migrate_to_ram`
 upon copy error



On 30/09/2024 14:20, Danilo Krummrich wrote:
> External email: Use caution opening links or attachments
> 
> 
> On Mon, Sep 23, 2024 at 01:54:58PM +0000, Yonatan Maman wrote:
>> A copy push command might fail, causing `migrate_to_ram` to return a
>> dirty HIGH_USER page to the user.
>>
>> This exposes a security vulnerability in the nouveau driver. To prevent
>> memory leaks in `migrate_to_ram` upon a copy error, allocate a zero
>> page for the destination page.
> 
> So, you refer to the case where this function fails in nouveau_dmem_copy_one()?
> 
> If so, can you please explain why adding __GFP_ZERO to alloc_page_vma() helps
> with that?
> 

The nouveau_dmem_copy_one function ensures that the copy push command is 
sent to the device firmware but does not track whether it was executed 
successfully.

In the case of a copy error (e.g., firmware or hardware error), the 
command will be sent in the firmware channel, and nouveau_dmem_copy_one 
might succeed, as well as the migrate_to_ram function. Thus, a dirty 
page could be returned to the user.

It’s important to note that we attempted to use nouveau_fence_wait 
status to handle migration errors, but it does not catch all error types.

To avoid this vulnerability, we allocate a zero page. So that, in case 
of an error, a non-dirty (zero) page will be returned to the user.

>>
>> Signed-off-by: Yonatan Maman <Ymaman@...dia.com>
>> Signed-off-by: Gal Shalom <GalShalom@...dia.com>
> 
> Since this is a bug, please also add a 'Fixes' tag, CC stable and add a
> 'Co-developed-by' tag if appropriate.

sure, thanks, I will add, and push it as V2 patch-series.
> 
>> ---
>>   drivers/gpu/drm/nouveau/nouveau_dmem.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/nouveau/nouveau_dmem.c b/drivers/gpu/drm/nouveau/nouveau_dmem.c
>> index 6fb65b01d778..097bd3af0719 100644
>> --- a/drivers/gpu/drm/nouveau/nouveau_dmem.c
>> +++ b/drivers/gpu/drm/nouveau/nouveau_dmem.c
>> @@ -193,7 +193,7 @@ static vm_fault_t nouveau_dmem_migrate_to_ram(struct vm_fault *vmf)
>>        if (!spage || !(src & MIGRATE_PFN_MIGRATE))
>>                goto done;
>>
>> -     dpage = alloc_page_vma(GFP_HIGHUSER, vmf->vma, vmf->address);
>> +     dpage = alloc_page_vma(GFP_HIGHUSER | __GFP_ZERO, vmf->vma, vmf->address);
>>        if (!dpage)
>>                goto done;
>>
>> --
>> 2.34.1
>>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ