From: Dan Carpenter <dan.carpenter@oracle.com>
To: butt3rflyh4ck <butterflyhuangxx@gmail.com>
Cc: robdclark@chromium.org, security@kernel.org, airlied@linux.ie,
syzkaller-bugs@googlegroups.com, dri-devel@lists.freedesktop.org,
chris@chris-wilson.co.uk, seanpaul@chromium.org,
sam@ravnborg.org, emil.velikov@collabora.com
Subject: Re: KASAN: use-after-free Read in drm_gem_object_release
Date: Fri, 10 Jul 2020 14:52:40 +0300 [thread overview]
Message-ID: <20200710115240.GI2571@kadam> (raw)
In-Reply-To: <CAFcO6XO58pV+j9gu5Hha3JUW555EPQo6ELTvxRyQ5PWu_1gsUA@mail.gmail.com>
On Fri, Jul 10, 2020 at 04:24:03PM +0800, butt3rflyh4ck wrote:
> I report a bug (in linux-5.8.0-rc4) found by syzkaller.
>
> kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/v5.8.0-rc4.config
>
> I test the reproducer and crash too.
>
> In the drm_em_vram_t() function, ttm_bo_init() function call
^^^^^^^^^^^^^
This a typo. The function name is drm_gem_vram_init().
> ttm_bo_init_reserved(),
> the ttm_bo_init_reserved() function call ttm_bo_put(), it will free
> gbo->bo that is struct ttm_buffer_object.
>
> then, goto the err_drm_gem_object_release lable,
> drm_gem_object_release() function will free gbo->bo.base, so cause use
> after free.
>
There is a third free in drm_gem_vram_create(). This is a triple free
bug. The correct place to free this is in drm_gem_vram_create() because
that's where it was allocated.
This code is quite subtle so I'm not going to attempt to fix it because
I can't test it.
regards,
dan carpenter
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2020-07-10 11:53 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-10 8:24 KASAN: use-after-free Read in drm_gem_object_release butt3rflyh4ck
2020-07-10 10:39 ` Greg KH
2020-07-10 11:52 ` Dan Carpenter [this message]
2020-07-10 14:01 ` butt3rflyh4ck
2020-07-10 14:03 ` butt3rflyh4ck
2020-07-13 16:12 ` Daniel Vetter
2020-07-13 16:47 ` butt3rflyh4ck
2020-07-14 7:41 ` Thomas Zimmermann
2020-07-14 8:46 ` Thomas Zimmermann
-- strict thread matches above, loose matches on Subject: below --
2022-07-22 16:23 Dipanjan Das
2022-07-22 16:23 ` Dipanjan Das
2022-08-02 19:02 ` Dipanjan Das
2022-08-02 19:02 ` Dipanjan Das
2021-05-14 6:42 Dan Bautista
2018-10-25 19:18 syzbot
2018-10-29 11:51 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200710115240.GI2571@kadam \
--to=dan.carpenter@oracle.com \
--cc=airlied@linux.ie \
--cc=butterflyhuangxx@gmail.com \
--cc=chris@chris-wilson.co.uk \
--cc=dri-devel@lists.freedesktop.org \
--cc=emil.velikov@collabora.com \
--cc=robdclark@chromium.org \
--cc=sam@ravnborg.org \
--cc=seanpaul@chromium.org \
--cc=security@kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.