* [PATCH v7] misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os
@ 2022-11-09 9:33 Zheng Wang
2022-11-09 10:08 ` Greg KH
0 siblings, 1 reply; 3+ messages in thread
From: Zheng Wang @ 2022-11-09 9:33 UTC (permalink / raw)
To: gregkh
Cc: zhengyejian1, dimitri.sivanich, arnd, linux-kernel,
hackerzheng666, alex000young, security, sivanich, lkp,
Zheng Wang
Gts may be freed in gru_check_chiplet_assignment.
The caller still use it after that, UAF happens.
Fix it by introducing a return value to see if it's in error path or not.
Free the gts in caller if gru_check_chiplet_assignment check failed.
Fixes: 55484c45dbec ("gru: allow users to specify gru chiplet 2")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Acked-by: Dimitri Sivanich <sivanich@hpe.com>
Tested-by: kernel test robot <lkp@intel.com>
---
v7:
- fix some spelling problems suggested by Greg, change kernel test robot from reported-by tag to tested-by tag
v6:
- remove unused var checked by kernel test robot
v5:
- fix logical issue and remove unnecessary variable suggested by Dimitri Sivanich
v4:
- use VM_FAULT_NOPAGE as failure code in gru_fault and -EINVAL in other functions suggested by Yejian
v3:
- add preempt_enable and use VM_FAULT_NOPAGE as failure code suggested by Yejian
v2:
- commit message changes suggested by Greg
v1: https://lore.kernel.org/lkml/CAJedcCzY72jqgF-pCPtx66vXXwdPn-KMagZnqrxcpWw1NxTLaA@mail.gmail.com/
---
drivers/misc/sgi-gru/grufault.c | 14 ++++++++++++--
drivers/misc/sgi-gru/grumain.c | 16 ++++++++++++----
drivers/misc/sgi-gru/grutables.h | 2 +-
3 files changed, 25 insertions(+), 7 deletions(-)
diff --git a/drivers/misc/sgi-gru/grufault.c b/drivers/misc/sgi-gru/grufault.c
index d7ef61e602ed..bdd515d33225 100644
--- a/drivers/misc/sgi-gru/grufault.c
+++ b/drivers/misc/sgi-gru/grufault.c
@@ -656,7 +656,9 @@ int gru_handle_user_call_os(unsigned long cb)
if (ucbnum >= gts->ts_cbr_au_count * GRU_CBR_AU_SIZE)
goto exit;
- gru_check_context_placement(gts);
+ ret = gru_check_context_placement(gts);
+ if (ret)
+ goto err;
/*
* CCH may contain stale data if ts_force_cch_reload is set.
@@ -677,6 +679,10 @@ int gru_handle_user_call_os(unsigned long cb)
exit:
gru_unlock_gts(gts);
return ret;
+err:
+ gru_unlock_gts(gts);
+ gru_unload_context(gts, 1);
+ return -EINVAL;
}
/*
@@ -874,7 +880,11 @@ int gru_set_context_option(unsigned long arg)
} else {
gts->ts_user_blade_id = req.val1;
gts->ts_user_chiplet_id = req.val0;
- gru_check_context_placement(gts);
+ if (gru_check_context_placement(gts)) {
+ gru_unlock_gts(gts);
+ gru_unload_context(gts, 1);
+ return -EINVAL;
+ }
}
break;
case sco_gseg_owner:
diff --git a/drivers/misc/sgi-gru/grumain.c b/drivers/misc/sgi-gru/grumain.c
index 9afda47efbf2..beba69fc3cd7 100644
--- a/drivers/misc/sgi-gru/grumain.c
+++ b/drivers/misc/sgi-gru/grumain.c
@@ -716,9 +716,10 @@ static int gru_check_chiplet_assignment(struct gru_state *gru,
* chiplet. Misassignment can occur if the process migrates to a different
* blade or if the user changes the selected blade/chiplet.
*/
-void gru_check_context_placement(struct gru_thread_state *gts)
+int gru_check_context_placement(struct gru_thread_state *gts)
{
struct gru_state *gru;
+ int ret = 0;
/*
* If the current task is the context owner, verify that the
@@ -727,14 +728,16 @@ void gru_check_context_placement(struct gru_thread_state *gts)
*/
gru = gts->ts_gru;
if (!gru || gts->ts_tgid_owner != current->tgid)
- return;
+ return ret;
if (!gru_check_chiplet_assignment(gru, gts)) {
STAT(check_context_unload);
- gru_unload_context(gts, 1);
+ ret = -EINVAL;
} else if (gru_retarget_intr(gts)) {
STAT(check_context_retarget_intr);
}
+
+ return ret;
}
@@ -934,7 +937,12 @@ vm_fault_t gru_fault(struct vm_fault *vmf)
mutex_lock(>s->ts_ctxlock);
preempt_disable();
- gru_check_context_placement(gts);
+ if (gru_check_context_placement(gts)) {
+ preempt_enable();
+ mutex_unlock(>s->ts_ctxlock);
+ gru_unload_context(gts, 1);
+ return VM_FAULT_NOPAGE;
+ }
if (!gts->ts_gru) {
STAT(load_user_context);
diff --git a/drivers/misc/sgi-gru/grutables.h b/drivers/misc/sgi-gru/grutables.h
index 5efc869fe59a..f4a5a787685f 100644
--- a/drivers/misc/sgi-gru/grutables.h
+++ b/drivers/misc/sgi-gru/grutables.h
@@ -632,7 +632,7 @@ extern int gru_user_flush_tlb(unsigned long arg);
extern int gru_user_unload_context(unsigned long arg);
extern int gru_get_exception_detail(unsigned long arg);
extern int gru_set_context_option(unsigned long address);
-extern void gru_check_context_placement(struct gru_thread_state *gts);
+extern int gru_check_context_placement(struct gru_thread_state *gts);
extern int gru_cpu_fault_map_id(void);
extern struct vm_area_struct *gru_find_vma(unsigned long vaddr);
extern void gru_flush_all_tlb(struct gru_state *gru);
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v7] misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os
2022-11-09 9:33 [PATCH v7] misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os Zheng Wang
@ 2022-11-09 10:08 ` Greg KH
2022-11-09 10:49 ` Zheng Hacker
0 siblings, 1 reply; 3+ messages in thread
From: Greg KH @ 2022-11-09 10:08 UTC (permalink / raw)
To: Zheng Wang
Cc: zhengyejian1, dimitri.sivanich, arnd, linux-kernel,
hackerzheng666, alex000young, security, sivanich, lkp
On Wed, Nov 09, 2022 at 05:33:47PM +0800, Zheng Wang wrote:
> Gts may be freed in gru_check_chiplet_assignment.
> The caller still use it after that, UAF happens.
>
> Fix it by introducing a return value to see if it's in error path or not.
> Free the gts in caller if gru_check_chiplet_assignment check failed.
>
> Fixes: 55484c45dbec ("gru: allow users to specify gru chiplet 2")
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> Acked-by: Dimitri Sivanich <sivanich@hpe.com>
> Tested-by: kernel test robot <lkp@intel.com>
The kernel robot did not provide a tested-by comment for this as they
did not test it.
Please never add tags that the person does not submit to you.
greg k-h
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v7] misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os
2022-11-09 10:08 ` Greg KH
@ 2022-11-09 10:49 ` Zheng Hacker
0 siblings, 0 replies; 3+ messages in thread
From: Zheng Hacker @ 2022-11-09 10:49 UTC (permalink / raw)
To: Greg KH
Cc: Zheng Wang, zhengyejian1, dimitri.sivanich, arnd, linux-kernel,
alex000young, security, sivanich, lkp
> The kernel robot did not provide a tested-by comment for this as they
> did not test it.
>
> Please never add tags that the person does not submit to you.
>
Okay, I will remove the related tag righe now.
Best regards,
Zheng Wang
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-11-09 10:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-09 9:33 [PATCH v7] misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os Zheng Wang
2022-11-09 10:08 ` Greg KH
2022-11-09 10:49 ` Zheng Hacker
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.