All the mail mirrored from lore.kernel.org
 help / color / mirror / Atom feed
From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
To: Zack Rusin <zackr@vmware.com>,
	linux-graphics-maintainer@vmware.com, airlied@linux.ie,
	daniel@ffwll.ch, maarten.lankhorst@linux.intel.com,
	mripard@kernel.org, tzimmermann@suse.de
Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org,
	intel-gfx@lists.freedesktop.org, skhan@linuxfoundation.org,
	gregkh@linuxfoundation.org,
	linux-kernel-mentees@lists.linuxfoundation.org
Subject: Re: [PATCH 3/3] drm/vmwgfx: fix potential UAF in vmwgfx_surface.c
Date: Fri, 23 Jul 2021 14:44:35 +0800	[thread overview]
Message-ID: <cb3ea66e-7f59-c057-06ea-7ddca4329a7c@gmail.com> (raw)
In-Reply-To: <b27a2e80-c912-15eb-e78b-c8b6f3993930@vmware.com>

On 23/7/21 3:17 am, Zack Rusin wrote:
> On 7/22/21 5:29 AM, Desmond Cheong Zhi Xi wrote:
>> drm_file.master should be protected by either drm_device.master_mutex
>> or drm_file.master_lookup_lock when being dereferenced. However,
>> drm_master_get is called on unprotected file_priv->master pointers in
>> vmw_surface_define_ioctl and vmw_gb_surface_define_internal.
>>
>> This is fixed by replacing drm_master_get with drm_file_get_master.
>>
>> Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
> 
> Reviewed-by: Zack Rusin <zackr@vmware.com>
> 
> Thanks for taking the time to fix this. Apart from the clear logic 
> error, do you happen to know under what circumstances would this be hit? 
> We have someone looking at writing some vmwgfx specific igt tests and I 
> was wondering if I could add this to the list.
> 
> z

Hi Zack,

Thanks for the review.

For some context, the use-after-free happens when there's a race between 
accessing the value of drm_file.master, and a call to 
drm_setmaster_ioctl. If drm_file is not the creator of master, then the 
ioctl allocates a new master for drm_file and puts the old master.

Thus for example, the old value of drm_file.master could be freed in 
between getting the value of file_priv->master, and the call to 
drm_master_get.

I'm not entirely sure whether this scenario is a good candidate for a test?

For further reference, the issue was originally caught by Syzbot here:
https://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f803

And from the logs it seems that the reproducer set up a race between 
DRM_IOCTL_GET_UNIQUE and DRM_IOCTL_SET_MASTER. So possibly a race 
between VMW_CREATE_SURFACE and DRM_IOCTL_SET_MASTER could trigger the 
same bug.

Best wishes,
Desmond


WARNING: multiple messages have this Message-ID (diff)
From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
To: Zack Rusin <zackr@vmware.com>,
	linux-graphics-maintainer@vmware.com, airlied@linux.ie,
	daniel@ffwll.ch, maarten.lankhorst@linux.intel.com,
	mripard@kernel.org, tzimmermann@suse.de
Cc: intel-gfx@lists.freedesktop.org, linux-kernel@vger.kernel.org,
	dri-devel@lists.freedesktop.org,
	linux-kernel-mentees@lists.linuxfoundation.org
Subject: Re: [PATCH 3/3] drm/vmwgfx: fix potential UAF in vmwgfx_surface.c
Date: Fri, 23 Jul 2021 14:44:35 +0800	[thread overview]
Message-ID: <cb3ea66e-7f59-c057-06ea-7ddca4329a7c@gmail.com> (raw)
In-Reply-To: <b27a2e80-c912-15eb-e78b-c8b6f3993930@vmware.com>

On 23/7/21 3:17 am, Zack Rusin wrote:
> On 7/22/21 5:29 AM, Desmond Cheong Zhi Xi wrote:
>> drm_file.master should be protected by either drm_device.master_mutex
>> or drm_file.master_lookup_lock when being dereferenced. However,
>> drm_master_get is called on unprotected file_priv->master pointers in
>> vmw_surface_define_ioctl and vmw_gb_surface_define_internal.
>>
>> This is fixed by replacing drm_master_get with drm_file_get_master.
>>
>> Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
> 
> Reviewed-by: Zack Rusin <zackr@vmware.com>
> 
> Thanks for taking the time to fix this. Apart from the clear logic 
> error, do you happen to know under what circumstances would this be hit? 
> We have someone looking at writing some vmwgfx specific igt tests and I 
> was wondering if I could add this to the list.
> 
> z

Hi Zack,

Thanks for the review.

For some context, the use-after-free happens when there's a race between 
accessing the value of drm_file.master, and a call to 
drm_setmaster_ioctl. If drm_file is not the creator of master, then the 
ioctl allocates a new master for drm_file and puts the old master.

Thus for example, the old value of drm_file.master could be freed in 
between getting the value of file_priv->master, and the call to 
drm_master_get.

I'm not entirely sure whether this scenario is a good candidate for a test?

For further reference, the issue was originally caught by Syzbot here:
https://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f803

And from the logs it seems that the reproducer set up a race between 
DRM_IOCTL_GET_UNIQUE and DRM_IOCTL_SET_MASTER. So possibly a race 
between VMW_CREATE_SURFACE and DRM_IOCTL_SET_MASTER could trigger the 
same bug.

Best wishes,
Desmond

_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

WARNING: multiple messages have this Message-ID (diff)
From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
To: Zack Rusin <zackr@vmware.com>,
	linux-graphics-maintainer@vmware.com, airlied@linux.ie,
	daniel@ffwll.ch, maarten.lankhorst@linux.intel.com,
	mripard@kernel.org, tzimmermann@suse.de
Cc: gregkh@linuxfoundation.org, intel-gfx@lists.freedesktop.org,
	linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
	skhan@linuxfoundation.org,
	linux-kernel-mentees@lists.linuxfoundation.org
Subject: Re: [PATCH 3/3] drm/vmwgfx: fix potential UAF in vmwgfx_surface.c
Date: Fri, 23 Jul 2021 14:44:35 +0800	[thread overview]
Message-ID: <cb3ea66e-7f59-c057-06ea-7ddca4329a7c@gmail.com> (raw)
In-Reply-To: <b27a2e80-c912-15eb-e78b-c8b6f3993930@vmware.com>

On 23/7/21 3:17 am, Zack Rusin wrote:
> On 7/22/21 5:29 AM, Desmond Cheong Zhi Xi wrote:
>> drm_file.master should be protected by either drm_device.master_mutex
>> or drm_file.master_lookup_lock when being dereferenced. However,
>> drm_master_get is called on unprotected file_priv->master pointers in
>> vmw_surface_define_ioctl and vmw_gb_surface_define_internal.
>>
>> This is fixed by replacing drm_master_get with drm_file_get_master.
>>
>> Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
> 
> Reviewed-by: Zack Rusin <zackr@vmware.com>
> 
> Thanks for taking the time to fix this. Apart from the clear logic 
> error, do you happen to know under what circumstances would this be hit? 
> We have someone looking at writing some vmwgfx specific igt tests and I 
> was wondering if I could add this to the list.
> 
> z

Hi Zack,

Thanks for the review.

For some context, the use-after-free happens when there's a race between 
accessing the value of drm_file.master, and a call to 
drm_setmaster_ioctl. If drm_file is not the creator of master, then the 
ioctl allocates a new master for drm_file and puts the old master.

Thus for example, the old value of drm_file.master could be freed in 
between getting the value of file_priv->master, and the call to 
drm_master_get.

I'm not entirely sure whether this scenario is a good candidate for a test?

For further reference, the issue was originally caught by Syzbot here:
https://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f803

And from the logs it seems that the reproducer set up a race between 
DRM_IOCTL_GET_UNIQUE and DRM_IOCTL_SET_MASTER. So possibly a race 
between VMW_CREATE_SURFACE and DRM_IOCTL_SET_MASTER could trigger the 
same bug.

Best wishes,
Desmond


WARNING: multiple messages have this Message-ID (diff)
From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
To: Zack Rusin <zackr@vmware.com>,
	linux-graphics-maintainer@vmware.com, airlied@linux.ie,
	daniel@ffwll.ch, maarten.lankhorst@linux.intel.com,
	mripard@kernel.org, tzimmermann@suse.de
Cc: gregkh@linuxfoundation.org, intel-gfx@lists.freedesktop.org,
	linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
	skhan@linuxfoundation.org,
	linux-kernel-mentees@lists.linuxfoundation.org
Subject: Re: [Intel-gfx] [PATCH 3/3] drm/vmwgfx: fix potential UAF in vmwgfx_surface.c
Date: Fri, 23 Jul 2021 14:44:35 +0800	[thread overview]
Message-ID: <cb3ea66e-7f59-c057-06ea-7ddca4329a7c@gmail.com> (raw)
In-Reply-To: <b27a2e80-c912-15eb-e78b-c8b6f3993930@vmware.com>

On 23/7/21 3:17 am, Zack Rusin wrote:
> On 7/22/21 5:29 AM, Desmond Cheong Zhi Xi wrote:
>> drm_file.master should be protected by either drm_device.master_mutex
>> or drm_file.master_lookup_lock when being dereferenced. However,
>> drm_master_get is called on unprotected file_priv->master pointers in
>> vmw_surface_define_ioctl and vmw_gb_surface_define_internal.
>>
>> This is fixed by replacing drm_master_get with drm_file_get_master.
>>
>> Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
> 
> Reviewed-by: Zack Rusin <zackr@vmware.com>
> 
> Thanks for taking the time to fix this. Apart from the clear logic 
> error, do you happen to know under what circumstances would this be hit? 
> We have someone looking at writing some vmwgfx specific igt tests and I 
> was wondering if I could add this to the list.
> 
> z

Hi Zack,

Thanks for the review.

For some context, the use-after-free happens when there's a race between 
accessing the value of drm_file.master, and a call to 
drm_setmaster_ioctl. If drm_file is not the creator of master, then the 
ioctl allocates a new master for drm_file and puts the old master.

Thus for example, the old value of drm_file.master could be freed in 
between getting the value of file_priv->master, and the call to 
drm_master_get.

I'm not entirely sure whether this scenario is a good candidate for a test?

For further reference, the issue was originally caught by Syzbot here:
https://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f803

And from the logs it seems that the reproducer set up a race between 
DRM_IOCTL_GET_UNIQUE and DRM_IOCTL_SET_MASTER. So possibly a race 
between VMW_CREATE_SURFACE and DRM_IOCTL_SET_MASTER could trigger the 
same bug.

Best wishes,
Desmond

_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

  reply	other threads:[~2021-07-23  6:44 UTC|newest]

Thread overview: 72+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-22  9:29 [PATCH 0/3] drm, drm/vmwgfx: fixes and updates related to drm_master Desmond Cheong Zhi Xi
2021-07-22  9:29 ` [Intel-gfx] " Desmond Cheong Zhi Xi
2021-07-22  9:29 ` Desmond Cheong Zhi Xi
2021-07-22  9:29 ` Desmond Cheong Zhi Xi
2021-07-22  9:29 ` [PATCH 1/3] drm: use the lookup lock in drm_is_current_master Desmond Cheong Zhi Xi
2021-07-22  9:29   ` [Intel-gfx] " Desmond Cheong Zhi Xi
2021-07-22  9:29   ` Desmond Cheong Zhi Xi
2021-07-22  9:29   ` Desmond Cheong Zhi Xi
2021-07-22 10:38   ` Daniel Vetter
2021-07-22 10:38     ` [Intel-gfx] " Daniel Vetter
2021-07-22 10:38     ` Daniel Vetter
2021-07-22 10:38     ` Daniel Vetter
2021-07-22 15:04     ` Boqun Feng
2021-07-22 15:04       ` [Intel-gfx] " Boqun Feng
2021-07-22 15:04       ` Boqun Feng
2021-07-22 19:02       ` Daniel Vetter
2021-07-22 19:02         ` Daniel Vetter
2021-07-22 19:02         ` Daniel Vetter
2021-07-22 19:02         ` [Intel-gfx] " Daniel Vetter
2021-07-23  7:16         ` Boqun Feng
2021-07-23  7:16           ` [Intel-gfx] " Boqun Feng
2021-07-23  7:16           ` Boqun Feng
2021-07-27 14:37     ` Peter Zijlstra
2021-07-27 14:37       ` [Intel-gfx] " Peter Zijlstra
2021-07-27 14:37       ` Peter Zijlstra
2021-07-29  7:00       ` Daniel Vetter
2021-07-29  7:00         ` Daniel Vetter
2021-07-29  7:00         ` Daniel Vetter
2021-07-29  7:00         ` [Intel-gfx] " Daniel Vetter
2021-07-29 14:32         ` Desmond Cheong Zhi Xi
2021-07-29 14:32           ` [Intel-gfx] " Desmond Cheong Zhi Xi
2021-07-29 14:32           ` Desmond Cheong Zhi Xi
2021-07-29 14:32           ` Desmond Cheong Zhi Xi
2021-07-29 14:45           ` [Intel-gfx] " Peter Zijlstra
2021-07-29 14:45             ` Peter Zijlstra
2021-07-29 14:45             ` Peter Zijlstra
2021-07-29 14:45             ` Peter Zijlstra
2021-07-22  9:29 ` [PATCH 2/3] drm: clarify lifetime/locking for drm_master's lease fields Desmond Cheong Zhi Xi
2021-07-22  9:29   ` [Intel-gfx] " Desmond Cheong Zhi Xi
2021-07-22  9:29   ` Desmond Cheong Zhi Xi
2021-07-22  9:29   ` Desmond Cheong Zhi Xi
2021-07-22 10:35   ` Daniel Vetter
2021-07-22 10:35     ` [Intel-gfx] " Daniel Vetter
2021-07-22 10:35     ` Daniel Vetter
2021-07-22 10:35     ` Daniel Vetter
2021-07-22 13:02     ` Desmond Cheong Zhi Xi
2021-07-22 13:02       ` Desmond Cheong Zhi Xi
2021-07-22 13:02       ` [Intel-gfx] " Desmond Cheong Zhi Xi
2021-07-22 13:02       ` Desmond Cheong Zhi Xi
2021-07-22 14:17       ` Daniel Vetter
2021-07-22 14:17         ` Daniel Vetter
2021-07-22 14:17         ` Daniel Vetter
2021-07-22 14:17         ` [Intel-gfx] " Daniel Vetter
2021-07-22  9:29 ` [PATCH 3/3] drm/vmwgfx: fix potential UAF in vmwgfx_surface.c Desmond Cheong Zhi Xi
2021-07-22  9:29   ` [Intel-gfx] " Desmond Cheong Zhi Xi
2021-07-22  9:29   ` Desmond Cheong Zhi Xi
2021-07-22  9:29   ` Desmond Cheong Zhi Xi
2021-07-22 10:39   ` Daniel Vetter
2021-07-22 10:39     ` [Intel-gfx] " Daniel Vetter
2021-07-22 10:39     ` Daniel Vetter
2021-07-22 10:39     ` Daniel Vetter
2021-07-22 19:17   ` Zack Rusin
2021-07-22 19:17     ` Zack Rusin
2021-07-22 19:17     ` Zack Rusin
2021-07-22 19:17     ` [Intel-gfx] " Zack Rusin
2021-07-23  6:44     ` Desmond Cheong Zhi Xi [this message]
2021-07-23  6:44       ` Desmond Cheong Zhi Xi
2021-07-23  6:44       ` Desmond Cheong Zhi Xi
2021-07-23  6:44       ` Desmond Cheong Zhi Xi
2021-07-22 14:05 ` [Intel-gfx] ✗ Fi.CI.SPARSE: warning for drm, drm/vmwgfx: fixes and updates related to drm_master Patchwork
2021-07-22 14:34 ` [Intel-gfx] ✗ Fi.CI.BAT: failure " Patchwork
2021-07-27 17:42 ` [Intel-gfx] ✗ Fi.CI.BUILD: failure for drm, drm/vmwgfx: fixes and updates related to drm_master (rev2) Patchwork

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cb3ea66e-7f59-c057-06ea-7ddca4329a7c@gmail.com \
    --to=desmondcheongzx@gmail.com \
    --cc=airlied@linux.ie \
    --cc=daniel@ffwll.ch \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=intel-gfx@lists.freedesktop.org \
    --cc=linux-graphics-maintainer@vmware.com \
    --cc=linux-kernel-mentees@lists.linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=maarten.lankhorst@linux.intel.com \
    --cc=mripard@kernel.org \
    --cc=skhan@linuxfoundation.org \
    --cc=tzimmermann@suse.de \
    --cc=zackr@vmware.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.