[Intel-xe] [PATCH 1/3] drm/kunit: Avoid a driver uaf
Thomas Hellström
thomas.hellstrom at linux.intel.com
Thu Sep 7 10:32:42 UTC 2023
Hi, Maxime,
On 9/6/23 12:08, Maxime Ripard wrote:
> On Tue, Sep 05, 2023 at 02:43:00PM +0200, Thomas Hellström wrote:
>> Hi maxime,
>>
>> On 9/5/23 14:06, Maxime Ripard wrote:
>>> On Tue, Sep 05, 2023 at 10:58:30AM +0200, Thomas Hellström wrote:
>>>> when using __drm_kunit_helper_alloc_drm_device() the driver may be
>>>> dereferenced by device-managed resources up until the device is
>>>> freed, which is typically later than the kunit-managed resource code
>>>> frees it.
>>> I'd like to have a bit more context on how a driver can end up in that
>>> situation?
>> I interpret the attached traces as follows.
>>
>> INIT:
>>
>> Code allocates a struct device as a kunit-managed resource.
>> Code allocates a drm driver as a kunit-managed resource.
>> Code allocates a drm device as a device-managed resource.
>>
>> EXIT:
>>
>> Kunit resource cleanup frees the drm driver
>> Kunit resource cleanup frees the struct device, which starts a
>> device-managed resource cleanup
>> device-managed cleanup calls drm_dev_put()
>> drm_dev_put() dereferences the (now freed) drm driver -> Boom.
>>
>> It should be sufficient to enable KASAN and run the drm_exec_test kunit test
>> to trigger this.
> Ack. Can you put this into your commit log?
>
> Thanks!
> Maxime
Thanks for reviewing. I'll update this and the other patch with your
comments.
Thanks,
Thomas
More information about the dri-devel
mailing list