lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20200201055612.GF1778@kadam>
Date:   Sat, 1 Feb 2020 08:56:12 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     syzbot <syzbot+0dc4444774d419e916c8@...kaller.appspotmail.com>
Cc:     airlied@...ux.ie, alexander.deucher@....com,
        amd-gfx@...ts.freedesktop.org, chris@...is-wilson.co.uk,
        christian.koenig@....com, daniel@...ll.ch, davem@...emloft.net,
        dri-devel@...ts.freedesktop.org, emil.velikov@...labora.com,
        eric@...olt.net, linaro-mm-sig@...ts.linaro.org,
        linux-kernel@...r.kernel.org, linux-media@...r.kernel.org,
        netdev@...r.kernel.org, robdclark@...omium.org,
        seanpaul@...omium.org, sumit.semwal@...aro.org,
        syzkaller-bugs@...glegroups.com
Subject: Re: KASAN: use-after-free Read in vgem_gem_dumb_create

I don't totally understand the stack trace but I do see a double free
bug.

drivers/gpu/drm/vgem/vgem_drv.c
   186  static struct drm_gem_object *vgem_gem_create(struct drm_device *dev,
   187                                                struct drm_file *file,
   188                                                unsigned int *handle,
   189                                                unsigned long size)
   190  {
   191          struct drm_vgem_gem_object *obj;
   192          int ret;
   193  
   194          obj = __vgem_gem_create(dev, size);

obj->base.handle_count is zero.

   195          if (IS_ERR(obj))
   196                  return ERR_CAST(obj);
   197  
   198          ret = drm_gem_handle_create(file, &obj->base, handle);

We bump it +1 and then the error handling calls
drm_gem_object_handle_put_unlocked(obj);
which calls drm_gem_object_put_unlocked(); which frees obj.


   199          drm_gem_object_put_unlocked(&obj->base);

So this is a double free.  Could someone check my thinking and send
a patch?  It's just a one liner.  Otherwise I can send it on Monday.

   200          if (ret)
   201                  return ERR_PTR(ret);
   202  
   203          return &obj->base;
   204  }

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ