KASAN: use-after-free Read in drm_gem_object_release

butt3rflyh4ck butterflyhuangxx at gmail.com
Mon Jul 13 16:47:15 UTC 2020 

 Ok, firstly, thank Dan Carpenter for pointing out my spelling error
and I upload a PoC and compile it to a binary, hope that helpful for
you to test it.

regards,
butt3rflyh4ck

On Tue, Jul 14, 2020 at 12:12 AM Daniel Vetter <daniel at ffwll.ch> wrote:
>
> Adding Thomas, who's the main author for vram helpers.
> -Daniel
>
> On Fri, Jul 10, 2020 at 1:53 PM Dan Carpenter <dan.carpenter at oracle.com> wrote:
> >
> > On Fri, Jul 10, 2020 at 04:24:03PM +0800, butt3rflyh4ck wrote:
> > > I report a bug (in linux-5.8.0-rc4) found by syzkaller.
> > >
> > > kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/v5.8.0-rc4.config
> > >
> > > I test the reproducer and crash too.
> > >
> > > In the drm_em_vram_t() function,  ttm_bo_init() function call
> >          ^^^^^^^^^^^^^
> > This a typo.  The function name is drm_gem_vram_init().
> >
> > > ttm_bo_init_reserved(),
> > > the ttm_bo_init_reserved() function  call ttm_bo_put(), it will free
> > > gbo->bo that is struct ttm_buffer_object.
> > >
> > > then, goto the err_drm_gem_object_release lable,
> > > drm_gem_object_release() function will free gbo->bo.base, so cause use
> > > after free.
> > >
> >
> > There is a third free in drm_gem_vram_create().  This is a triple free
> > bug.  The correct place to free this is in drm_gem_vram_create() because
> > that's where it was allocated.
> >
> > This code is quite subtle so I'm not going to attempt to fix it because
> > I can't test it.
> >
> > regards,
> > dan carpenter
> >
>
>
> --
> Daniel Vetter
> Software Engineer, Intel Corporation
> http://blog.ffwll.ch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: uaf-drm_gem_object_release
Type: application/octet-stream
Size: 871704 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/dri-devel/attachments/20200714/4811e698/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: uaf-drm_gem_object_release.c
Type: application/octet-stream
Size: 4647 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/dri-devel/attachments/20200714/4811e698/attachment-0003.obj>

More information about the dri-devel mailing list