* [PATCH] drm: fix use-after-free read in drm_mode_create_lease_ioctl()
@ 2018-10-01 15:31 Jann Horn
2018-10-02 8:24 ` Daniel Vetter
0 siblings, 1 reply; 2+ messages in thread
From: Jann Horn @ 2018-10-01 15:31 UTC (permalink / raw)
To: Keith Packard, Dave Airlie, David Airlie, dri-devel, jannh
Cc: linux-kernel, Kees Cook
fd_install() moves the reference given to it into the file descriptor table
of the current process. If the current process is multithreaded, then
immediately after fd_install(), another thread can close() the file
descriptor and cause the file's resources to be cleaned up.
Since the reference to "lessee" is held by the file, we must not access
"lessee" after the fd_install() call.
As far as I can tell, to reach this codepath, the caller must have an open
file descriptor to a DRI device in master mode. I'm not sure what the
requirements for that are.
Signed-off-by: Jann Horn <jannh@google.com>
Fixes: 62884cd386b8 ("drm: Add four ioctls for managing drm mode object leases [v7]")
Cc: stable@vger.kernel.org
---
I'm not sure how to actually use this ioctl, so I have neither verified
the bug experimentally nor experimentally verified the fix. I would
appreciate it if someone could confirm my analysis.
There have been a number of fd_install() bugs over time; I think it's
probably time to rename fd_install() to fd_install_dropref(), or
something like that.
drivers/gpu/drm/drm_lease.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/drm_lease.c b/drivers/gpu/drm/drm_lease.c
index b54fb78a283c..b82da96ded5c 100644
--- a/drivers/gpu/drm/drm_lease.c
+++ b/drivers/gpu/drm/drm_lease.c
@@ -566,14 +566,14 @@ int drm_mode_create_lease_ioctl(struct drm_device *dev,
lessee_priv->is_master = 1;
lessee_priv->authenticated = 1;
- /* Hook up the fd */
- fd_install(fd, lessee_file);
-
/* Pass fd back to userspace */
DRM_DEBUG_LEASE("Returning fd %d id %d\n", fd, lessee->lessee_id);
cl->fd = fd;
cl->lessee_id = lessee->lessee_id;
+ /* Hook up the fd */
+ fd_install(fd, lessee_file);
+
DRM_DEBUG_LEASE("drm_mode_create_lease_ioctl succeeded\n");
return 0;
--
2.19.0.605.g01d371f741-goog
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] drm: fix use-after-free read in drm_mode_create_lease_ioctl()
2018-10-01 15:31 [PATCH] drm: fix use-after-free read in drm_mode_create_lease_ioctl() Jann Horn
@ 2018-10-02 8:24 ` Daniel Vetter
0 siblings, 0 replies; 2+ messages in thread
From: Daniel Vetter @ 2018-10-02 8:24 UTC (permalink / raw)
To: Jann Horn
Cc: Keith Packard, Dave Airlie, David Airlie, dri-devel,
linux-kernel, Kees Cook
On Mon, Oct 01, 2018 at 05:31:17PM +0200, Jann Horn wrote:
> fd_install() moves the reference given to it into the file descriptor table
> of the current process. If the current process is multithreaded, then
> immediately after fd_install(), another thread can close() the file
> descriptor and cause the file's resources to be cleaned up.
>
> Since the reference to "lessee" is held by the file, we must not access
> "lessee" after the fd_install() call.
>
> As far as I can tell, to reach this codepath, the caller must have an open
> file descriptor to a DRI device in master mode. I'm not sure what the
> requirements for that are.
>
> Signed-off-by: Jann Horn <jannh@google.com>
> Fixes: 62884cd386b8 ("drm: Add four ioctls for managing drm mode object leases [v7]")
> Cc: stable@vger.kernel.org
> ---
> I'm not sure how to actually use this ioctl, so I have neither verified
> the bug experimentally nor experimentally verified the fix. I would
> appreciate it if someone could confirm my analysis.
>
> There have been a number of fd_install() bugs over time; I think it's
> probably time to rename fd_install() to fd_install_dropref(), or
> something like that.
Publishing an object to the world needs to happen last, only once it's
fully set up. It's unfortunately a very common bug, and definitely not
limited to use-after-free fun. E.g. here you could also confuse the kernel
if you manage to sneak in an ioctl on the new fd, while it's not yet fully
ready for those. fd_install() is just one of these.
Except review and maybe automatic analysis tools for the common I'm not
sure how to catch these better. Because the race is generally small,
tests&fuzzing tend to not hit these.
Thanks a lot for spotting this issue, patch applied.
Cheers, Daniel
> drivers/gpu/drm/drm_lease.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_lease.c b/drivers/gpu/drm/drm_lease.c
> index b54fb78a283c..b82da96ded5c 100644
> --- a/drivers/gpu/drm/drm_lease.c
> +++ b/drivers/gpu/drm/drm_lease.c
> @@ -566,14 +566,14 @@ int drm_mode_create_lease_ioctl(struct drm_device *dev,
> lessee_priv->is_master = 1;
> lessee_priv->authenticated = 1;
>
> - /* Hook up the fd */
> - fd_install(fd, lessee_file);
> -
> /* Pass fd back to userspace */
> DRM_DEBUG_LEASE("Returning fd %d id %d\n", fd, lessee->lessee_id);
> cl->fd = fd;
> cl->lessee_id = lessee->lessee_id;
>
> + /* Hook up the fd */
> + fd_install(fd, lessee_file);
> +
> DRM_DEBUG_LEASE("drm_mode_create_lease_ioctl succeeded\n");
> return 0;
>
> --
> 2.19.0.605.g01d371f741-goog
>
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-10-02 8:24 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-01 15:31 [PATCH] drm: fix use-after-free read in drm_mode_create_lease_ioctl() Jann Horn
2018-10-02 8:24 ` Daniel Vetter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).