KASAN: use-after-free Read in drm_gem_object_release
Dan Carpenter
dan.carpenter at oracle.com
Fri Jul 10 11:52:40 UTC 2020
On Fri, Jul 10, 2020 at 04:24:03PM +0800, butt3rflyh4ck wrote:
> I report a bug (in linux-5.8.0-rc4) found by syzkaller.
>
> kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/v5.8.0-rc4.config
>
> I test the reproducer and crash too.
>
> In the drm_em_vram_t() function, ttm_bo_init() function call
^^^^^^^^^^^^^
This a typo. The function name is drm_gem_vram_init().
> ttm_bo_init_reserved(),
> the ttm_bo_init_reserved() function call ttm_bo_put(), it will free
> gbo->bo that is struct ttm_buffer_object.
>
> then, goto the err_drm_gem_object_release lable,
> drm_gem_object_release() function will free gbo->bo.base, so cause use
> after free.
>
There is a third free in drm_gem_vram_create(). This is a triple free
bug. The correct place to free this is in drm_gem_vram_create() because
that's where it was allocated.
This code is quite subtle so I'm not going to attempt to fix it because
I can't test it.
regards,
dan carpenter
More information about the dri-devel
mailing list