Re: [PATCH V2] drm: hold gem reference until object is no longer accessed

From: daniel@ffwll.ch
To: unlisted-recipients:; (no To-header on input)
Cc: Steve Cohen <cohens@codeaurora.org>,
	dri-devel@lists.freedesktop.org, freedreno@lists.freedesktop.org,
	linux-arm-msm@vger.kernel.org, sam@ravnborg.org, daniel@ffwll.ch,
	seanpaul@chromium.org, pdhaval@codeaurora.org,
	jsanka@codeaurora.org, adelva@google.com
Subject: Re: [PATCH V2] drm: hold gem reference until object is no longer accessed
Date: Mon, 27 Jul 2020 22:11:28 +0200	[thread overview]
Message-ID: <20200727201128.GX6419@phenom.ffwll.local> (raw)
In-Reply-To: <20200727195507.GA240123@kroah.com>

On Mon, Jul 27, 2020 at 09:55:07PM +0200, Greg KH wrote:
> On Mon, Jul 20, 2020 at 06:30:50PM -0400, Steve Cohen wrote:
> > A use-after-free in drm_gem_open_ioctl can happen if the
> > GEM object handle is closed between the idr lookup and
> > retrieving the size from said object since a local reference
> > is not being held at that point. Hold the local reference
> > while the object can still be accessed to fix this and
> > plug the potential security hole.
> > 
> > Signed-off-by: Steve Cohen <cohens@codeaurora.org>
> > ---
> >  drivers/gpu/drm/drm_gem.c | 10 ++++------
> >  1 file changed, 4 insertions(+), 6 deletions(-)
> > 
> > diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
> > index 7bf628e..ee2058a 100644
> > --- a/drivers/gpu/drm/drm_gem.c
> > +++ b/drivers/gpu/drm/drm_gem.c
> > @@ -871,9 +871,6 @@ drm_gem_flink_ioctl(struct drm_device *dev, void *data,
> >   * @file_priv: drm file-private structure
> >   *
> >   * Open an object using the global name, returning a handle and the size.
> > - *
> > - * This handle (of course) holds a reference to the object, so the object
> > - * will not go away until the handle is deleted.
> >   */
> >  int
> >  drm_gem_open_ioctl(struct drm_device *dev, void *data,
> > @@ -898,14 +895,15 @@ drm_gem_open_ioctl(struct drm_device *dev, void *data,
> >  
> >  	/* drm_gem_handle_create_tail unlocks dev->object_name_lock. */
> >  	ret = drm_gem_handle_create_tail(file_priv, obj, &handle);
> > -	drm_gem_object_put_unlocked(obj);
> >  	if (ret)
> > -		return ret;
> > +		goto err;
> >  
> >  	args->handle = handle;
> >  	args->size = obj->size;
> >  
> > -	return 0;
> > +err:
> > +	drm_gem_object_put_unlocked(obj);
> > +	return ret;
> >  }
> >  
> >  /**
> 
> As this seems to fix an important issue, any reason it wasn't cc: stable
> on it so that it gets backported properly?
> 
> How about a "Fixes:" tag so that we know what commit id it fixes so we
> know how far back to backport things?
> 
> And a hint to the maintainers that "this is an issue that needs to get
> into 5.8-final, it shouldn't wait around longer please" would have also
> been nice to see :)
> 
> And what chagned from v1, aren't you supposed to list that somewhere in
> the changelog or below the --- line (never remember what DRM drivers
> want here...)
> 
> Care to send a v3?

Don't worry, I'm pushing this to drm-misc-fixes now, should still make it
to 5.8. Plus cc: stable. I didn't bother with Fixes: since I think the bug
is rather old. Also, worst case you leak 32bit of some kernel memory that
got reused already (but yeah I know that's often enough to get the foot in
somewhere nasty and crack the door open).

I think it fell through cracks because Sam said he'll apply, guess that
didn't happen.

Also yes a changelog, somewhere, for next time around.
-Daniel

> 
> thanks,
> 
> greg k-h

-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch