| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 1 Feb 2020 08:56:12 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: syzbot <syzbot+0dc4444774d419e916c8@...kaller.appspotmail.com>
Cc: airlied@...ux.ie, alexander.deucher@....com,
amd-gfx@...ts.freedesktop.org, chris@...is-wilson.co.uk,
christian.koenig@....com, daniel@...ll.ch, davem@...emloft.net,
dri-devel@...ts.freedesktop.org, emil.velikov@...labora.com,
eric@...olt.net, linaro-mm-sig@...ts.linaro.org,
linux-kernel@...r.kernel.org, linux-media@...r.kernel.org,
netdev@...r.kernel.org, robdclark@...omium.org,
seanpaul@...omium.org, sumit.semwal@...aro.org,
syzkaller-bugs@...glegroups.com
Subject: Re: KASAN: use-after-free Read in vgem_gem_dumb_create
I don't totally understand the stack trace but I do see a double free
bug.
drivers/gpu/drm/vgem/vgem_drv.c
186 static struct drm_gem_object *vgem_gem_create(struct drm_device *dev,
187 struct drm_file *file,
188 unsigned int *handle,
189 unsigned long size)
190 {
191 struct drm_vgem_gem_object *obj;
192 int ret;
193
194 obj = __vgem_gem_create(dev, size);
obj->base.handle_count is zero.
195 if (IS_ERR(obj))
196 return ERR_CAST(obj);
197
198 ret = drm_gem_handle_create(file, &obj->base, handle);
We bump it +1 and then the error handling calls
drm_gem_object_handle_put_unlocked(obj);
which calls drm_gem_object_put_unlocked(); which frees obj.
199 drm_gem_object_put_unlocked(&obj->base);
So this is a double free. Could someone check my thinking and send
a patch? It's just a one liner. Otherwise I can send it on Monday.
200 if (ret)
201 return ERR_PTR(ret);
202
203 return &obj->base;
204 }
regards,
dan carpenter
Powered by blists - more mailing lists