[Intel-xe] [PATCH 1/3] drm/kunit: Avoid a driver uaf
Thomas Hellström
thomas.hellstrom at linux.intel.com
Tue Sep 5 12:43:00 UTC 2023
Hi maxime,
On 9/5/23 14:06, Maxime Ripard wrote:
> On Tue, Sep 05, 2023 at 10:58:30AM +0200, Thomas Hellström wrote:
>> when using __drm_kunit_helper_alloc_drm_device() the driver may be
>> dereferenced by device-managed resources up until the device is
>> freed, which is typically later than the kunit-managed resource code
>> frees it.
> I'd like to have a bit more context on how a driver can end up in that
> situation?
I interpret the attached traces as follows.
INIT:
Code allocates a struct device as a kunit-managed resource.
Code allocates a drm driver as a kunit-managed resource.
Code allocates a drm device as a device-managed resource.
EXIT:
Kunit resource cleanup frees the drm driver
Kunit resource cleanup frees the struct device, which starts a
device-managed resource cleanup
device-managed cleanup calls drm_dev_put()
drm_dev_put() dereferences the (now freed) drm driver -> Boom.
It should be sufficient to enable KASAN and run the drm_exec_test kunit
test to trigger this.
Thanks,
Thomas
>
> Maxime
More information about the dri-devel
mailing list