<div><div><div dir="auto" style="font-family:'-apple-system','helveticaneue';font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">Hello, </div><div dir="auto" style="font-family:'-apple-system','helveticaneue';font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">thank you for patching the first bug we have sent!</div><div dir="auto" style="font-family:'-apple-system','helveticaneue';font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)"><br></div><div dir="auto" style="font-family:'-apple-system','helveticaneue';font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">Just a quick touch base with you, to ask if there has been any update on our other two bugs.</div><div dir="auto" style="font-family:'-apple-system','helveticaneue';font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">They were each sent with emails titled </div><div dir="auto" style="font-family:'-apple-system','helveticaneue';font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">"Reporting a slab-use-after-free in amdgpu" (this one)</div><div dir="auto" style="font-family:'-apple-system','helveticaneue';font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">"Reporting a null-ptr-deref in amdgpu". </div><div dir="auto" style="font-family:'-apple-system','helveticaneue';font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)"><br></div><div dir="auto" style="font-family:'-apple-system','helveticaneue';font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">Thank you! </div><div dir="auto" style="font-family:'-apple-system','helveticaneue';font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)"><br></div><div dir="auto" style="font-family:'-apple-system','helveticaneue';font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">Best, </div><div dir="auto" style="font-family:'-apple-system','helveticaneue';font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">Joonkyo</div></div><br></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">2024년 2월 16일 (금) 오후 6:22, Joonkyo Jung <<a href="mailto:joonkyoj@yonsei.ac.kr">joonkyoj@yonsei.ac.kr</a>>님이 작성:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello,<br><br>We would like to report a slab-use-after-free bug in the AMDGPU DRM driver in the linux kernel v6.8-rc4 that we found with our customized Syzkaller.<br>The bug can be triggered by sending two ioctls to the AMDGPU DRM driver in succession.<br><br>In amdgpu_bo_move, struct ttm_resource *old_mem = bo->resource is assigned.<br>As you can see on the alloc & free stack calls, on the same function amdgpu_bo_move,<br>amdgpu_move_blit in the end frees bo->resource at ttm_bo_move_accel_cleanup with ttm_bo_wait_free_node(bo, man->use_tt).<br>But amdgpu_bo_move continues after that, reaching trace_amdgpu_bo_move(abo, new_mem->mem_type, old_mem->mem_type) at the end, causing the use-after-free bug.<br><br>Steps to reproduce are as below.<br>union drm_amdgpu_gem_create *arg1;<br><br>arg1 = malloc(sizeof(union drm_amdgpu_gem_create));<br>arg1->in.bo_size = 0x8;<br>arg1->in.alignment = 0x0;<br>arg1->in.domains = 0x4;<br>arg1->in.domain_flags = 0x9;<br>ioctl(fd, 0xc0206440, arg1);<br><br>arg1->in.bo_size = 0x7fffffff;<br>arg1->in.alignment = 0x0;<br>arg1->in.domains = 0x4;<br>arg1->in.domain_flags = 0x9;<br>ioctl(fd, 0xc0206440, arg1);<br><br>The KASAN report is as follows:<br>==================================================================<br>BUG: KASAN: slab-use-after-free in amdgpu_bo_move+0x1479/0x1550<br>Read of size 4 at addr ffff88800f5bee80 by task syz-executor/219<br>Call Trace:<br> <TASK><br> amdgpu_bo_move+0x1479/0x1550<br> ttm_bo_handle_move_mem+0x4d0/0x700<br> ttm_mem_evict_first+0x945/0x1230<br> ttm_bo_mem_space+0x6c7/0x940<br> ttm_bo_validate+0x286/0x650<br> ttm_bo_init_reserved+0x34c/0x490<br> amdgpu_bo_create+0x94b/0x1610<br> amdgpu_bo_create_user+0xa3/0x130<br> amdgpu_gem_create_ioctl+0x4bc/0xc10<br> drm_ioctl_kernel+0x300/0x410<br> drm_ioctl+0x648/0xb30<br> amdgpu_drm_ioctl+0xc8/0x160<br> </TASK><br><br>Allocated by task 219:<br> kmalloc_trace+0x211/0x390<br> amdgpu_vram_mgr_new+0x1d6/0xbe0<br> ttm_resource_alloc+0xfd/0x1e0<br> ttm_bo_mem_space+0x255/0x940<br> ttm_bo_validate+0x286/0x650<br> ttm_bo_init_reserved+0x34c/0x490<br> amdgpu_bo_create+0x94b/0x1610<br> amdgpu_bo_create_user+0xa3/0x130<br> amdgpu_gem_create_ioctl+0x4bc/0xc10<br> drm_ioctl_kernel+0x300/0x410<br> drm_ioctl+0x648/0xb30<br> amdgpu_drm_ioctl+0xc8/0x160<br><br>Freed by task 219:<br> kfree+0x111/0x2d0<br> ttm_resource_free+0x17e/0x1e0<br> ttm_bo_move_accel_cleanup+0x77e/0x9b0<br> amdgpu_move_blit+0x3db/0x670<br> amdgpu_bo_move+0xfa2/0x1550<br> ttm_bo_handle_move_mem+0x4d0/0x700<br> ttm_mem_evict_first+0x945/0x1230<br> ttm_bo_mem_space+0x6c7/0x940<br> ttm_bo_validate+0x286/0x650<br> ttm_bo_init_reserved+0x34c/0x490<br> amdgpu_bo_create+0x94b/0x1610<br> amdgpu_bo_create_user+0xa3/0x130<br> amdgpu_gem_create_ioctl+0x4bc/0xc10<br> drm_ioctl_kernel+0x300/0x410<br> drm_ioctl+0x648/0xb30<br> amdgpu_drm_ioctl+0xc8/0x160<br><br>The buggy address belongs to the object at ffff88800f5bee70<br> which belongs to the cache kmalloc-96 of size 96<br>The buggy address is located 16 bytes inside of<br> freed 96-byte region [ffff88800f5bee70, ffff88800f5beed0)<br><br>Should you need any more information, please do not hesitate to contact us.<br><br>Best regards,<br>Joonkyo Jung<br></div>
</blockquote></div></div>