lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 1 Feb 2020 08:56:12 +0300 From: Dan Carpenter <dan.carpenter@...cle.com> To: syzbot <syzbot+0dc4444774d419e916c8@...kaller.appspotmail.com> Cc: airlied@...ux.ie, alexander.deucher@....com, amd-gfx@...ts.freedesktop.org, chris@...is-wilson.co.uk, christian.koenig@....com, daniel@...ll.ch, davem@...emloft.net, dri-devel@...ts.freedesktop.org, emil.velikov@...labora.com, eric@...olt.net, linaro-mm-sig@...ts.linaro.org, linux-kernel@...r.kernel.org, linux-media@...r.kernel.org, netdev@...r.kernel.org, robdclark@...omium.org, seanpaul@...omium.org, sumit.semwal@...aro.org, syzkaller-bugs@...glegroups.com Subject: Re: KASAN: use-after-free Read in vgem_gem_dumb_create I don't totally understand the stack trace but I do see a double free bug. drivers/gpu/drm/vgem/vgem_drv.c 186 static struct drm_gem_object *vgem_gem_create(struct drm_device *dev, 187 struct drm_file *file, 188 unsigned int *handle, 189 unsigned long size) 190 { 191 struct drm_vgem_gem_object *obj; 192 int ret; 193 194 obj = __vgem_gem_create(dev, size); obj->base.handle_count is zero. 195 if (IS_ERR(obj)) 196 return ERR_CAST(obj); 197 198 ret = drm_gem_handle_create(file, &obj->base, handle); We bump it +1 and then the error handling calls drm_gem_object_handle_put_unlocked(obj); which calls drm_gem_object_put_unlocked(); which frees obj. 199 drm_gem_object_put_unlocked(&obj->base); So this is a double free. Could someone check my thinking and send a patch? It's just a one liner. Otherwise I can send it on Monday. 200 if (ret) 201 return ERR_PTR(ret); 202 203 return &obj->base; 204 } regards, dan carpenter
Powered by blists - more mailing lists