| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZwPnV2OPJhOUcsU0@pollux> Date: Mon, 7 Oct 2024 15:51:19 +0200 From: Danilo Krummrich <dakr@...nel.org> To: Yonatan Maman <ymaman@...dia.com> Cc: nouveau@...ts.freedesktop.org, Gal Shalom <GalShalom@...dia.com>, kherbst@...hat.com, lyude@...hat.com, dakr@...hat.com, airlied@...il.com, daniel@...ll.ch, dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 2/2] nouveau/dmem: Fix memory leak in `migrate_to_ram` upon copy error On Mon, Oct 07, 2024 at 03:28:22PM +0300, Yonatan Maman wrote: > > > On 30/09/2024 14:20, Danilo Krummrich wrote: > > External email: Use caution opening links or attachments > > > > > > On Mon, Sep 23, 2024 at 01:54:58PM +0000, Yonatan Maman wrote: > > > A copy push command might fail, causing `migrate_to_ram` to return a > > > dirty HIGH_USER page to the user. > > > > > > This exposes a security vulnerability in the nouveau driver. To prevent > > > memory leaks in `migrate_to_ram` upon a copy error, allocate a zero > > > page for the destination page. > > > > So, you refer to the case where this function fails in nouveau_dmem_copy_one()? > > > > If so, can you please explain why adding __GFP_ZERO to alloc_page_vma() helps > > with that? > > > > The nouveau_dmem_copy_one function ensures that the copy push command is > sent to the device firmware but does not track whether it was executed > successfully. > > In the case of a copy error (e.g., firmware or hardware error), the command > will be sent in the firmware channel, and nouveau_dmem_copy_one might > succeed, as well as the migrate_to_ram function. Thus, a dirty page could be > returned to the user. > > It’s important to note that we attempted to use nouveau_fence_wait status to > handle migration errors, but it does not catch all error types. > > To avoid this vulnerability, we allocate a zero page. So that, in case of an > error, a non-dirty (zero) page will be returned to the user. I see, I got confused by calling this a 'memory leak'. Please add this description in the commit message and avoid the term 'memory leak' in this context. > > > > > > > Signed-off-by: Yonatan Maman <Ymaman@...dia.com> > > > Signed-off-by: Gal Shalom <GalShalom@...dia.com> > > > > Since this is a bug, please also add a 'Fixes' tag, CC stable and add a > > 'Co-developed-by' tag if appropriate. > > sure, thanks, I will add, and push it as V2 patch-series. > > > > > --- > > > drivers/gpu/drm/nouveau/nouveau_dmem.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/drivers/gpu/drm/nouveau/nouveau_dmem.c b/drivers/gpu/drm/nouveau/nouveau_dmem.c > > > index 6fb65b01d778..097bd3af0719 100644 > > > --- a/drivers/gpu/drm/nouveau/nouveau_dmem.c > > > +++ b/drivers/gpu/drm/nouveau/nouveau_dmem.c > > > @@ -193,7 +193,7 @@ static vm_fault_t nouveau_dmem_migrate_to_ram(struct vm_fault *vmf) > > > if (!spage || !(src & MIGRATE_PFN_MIGRATE)) > > > goto done; > > > > > > - dpage = alloc_page_vma(GFP_HIGHUSER, vmf->vma, vmf->address); > > > + dpage = alloc_page_vma(GFP_HIGHUSER | __GFP_ZERO, vmf->vma, vmf->address); > > > if (!dpage) > > > goto done; > > > > > > -- > > > 2.34.1 > > > >
Powered by blists - more mailing lists