BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_vblanks()
Daniel Vetter
daniel at ffwll.ch
Wed Mar 30 09:45:17 UTC 2022
On Tue, Mar 15, 2022 at 12:53:30AM +0300, Dmitry Osipenko wrote:
> On 3/11/22 17:22, Maxime Ripard wrote:
> > Hi Dmitry,
> >
> > On Thu, Mar 10, 2022 at 03:33:07AM +0300, Dmitry Osipenko wrote:
> >> I was playing/testing SuperTuxKart using VirtIO-GPU driver and spotted a
> >> UAF bug in drm_atomic_helper_wait_for_vblanks().
> >>
> >> SuperTuxKart can use DRM directly, i.e. you can run game in VT without
> >> Xorg or Wayland, this is where bugs happens. SuperTuxKart uses a
> >> non-blocking atomic page flips and UAF happens when a new atomic state
> >> is committed while there is a previous page flip still in-fly.
> >>
> >> What happens is that the new and old atomic states refer to the same
> >> CRTC state somehow. Once the older atomic state is destroyed, the CRTC
> >> state is freed and the newer atomic state continues to use the freed
> >> CRTC state.
> >
> > I'm not sure what you mean by "the new and old atomic states refer to
> > the same CRTC state", are those the same pointers?
>
> Yes, the pointers are the same. I'd assume that the newer atomic state
> should duplicate CRTC state, but apparently it doesn't happen.
The legacy cursor hack stuff does this, and it pretty fundamentally breaks
everything. Might be good to retest with that disabled:
https://lore.kernel.org/dri-devel/20201023123925.2374863-1-daniel.vetter@ffwll.ch/
The problem is a bit that this might cause some regressions, for drivers
which don't yet have the fancy new cursor fastpath for plane updates.
-Daniel
> >> The bug is easily reproducible (at least by me) by playing SuperTuxKart
> >> for a minute. It presents on latest -next and 5.17-rc7, I haven't
> >> checked older kernel versions.
> >>
> >> I'm not an expert of the non-blocking code paths in DRM, so asking for
> >> suggestions about where the root of the problem could be.
> >
> > Does it occur with other platforms? Can you easily test on something else?
>
> Shouldn't be easy to replicate this on other platforms, but I'll try.
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
More information about the dri-devel
mailing list