| Message ID | 20221230072758.443644-1-zyytlz.wz@163.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:4e01:0:0:0:0:0 with SMTP id p1csp2771821wrt;
Thu, 29 Dec 2022 23:32:01 -0800 (PST)
X-Google-Smtp-Source:
AMrXdXsxm8VTTHwPA/KHklWKyDmR2iuQYTCUqggtShFdwwkkI1rns0cgwpB60iJuVE+MjC5erF2p
X-Received: by 2002:a17:907:93c5:b0:7c0:f118:624b with SMTP id
cp5-20020a17090793c500b007c0f118624bmr23995911ejc.44.1672385521358;
Thu, 29 Dec 2022 23:32:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1672385521; cv=none;
d=google.com; s=arc-20160816;
b=RvdifeuAUWULpKcjMedYRmAxvmqnuUBnTK0CL646yVdQSwhGhC7rLPv1zzllxpBY5v
TjyfOpIbVewS+KofqMLLvIt8pwkRFhq2v02WFoDeCyeAJGZotGJOO3AgOHqdo/Na/hzQ
CQT31oz6iY7RUKCbGGLB3Zi4WRPlOEgADS4G3USJTdfFe6/K74lU1PM1U8YZjZU+sMSP
tqbmAr7c5KLgrICgtIifePMfIEb181Zrnkrwj8PvPf9hOPqE1Gmn2dhn35aV9yYJ3Fka
nDQxkCpfwg3S8tyRRdotFKmaMW+Sn5T/1szZ6qcfLnKi8bdhacBsoEPUCwuV+IWmpY/X
Y91g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=BZVBVRQVrTSn4BzI4JujaZV4qktmUeRF9eHZ5CKmHQM=;
b=Dak/748hdQTI//PFxuAj0A1vQrJUFaZbLor8FOpmD4M1HSKB+XyiAehJ3qsHXrJfmk
DSDmYYtWHhCQMSK24Ec/j3kJfVDc9XQkdwwxwjD4PZavL/DgomUk9PjXyaUlnMkc1p8l
tnqK8/TpbHZAfPQSxzEoyu3PT5650zj0nKfSD5r7tTGyYYLX8c1sVW13R2gY2y1IBUVM
jb0qLQCbHc7XFXYYcJ/hcIhfY61Usr9i96IEf0mTVv36PKMJS2f1xILjeF8aKvf+PgzY
7B2HpmlMmKHj8X3UD4tBV9XhkRyGunLiNX5MkSXoEQi68fpOpArYKaEULOxAOjYPUkv3
qNzg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@163.com header.s=s110527 header.b=gJadKLaW;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
ho6-20020a1709070e8600b007ae186b15f9si19564445ejc.597.2022.12.29.23.31.37;
Thu, 29 Dec 2022 23:32:01 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@163.com header.s=s110527 header.b=gJadKLaW;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S234631AbiL3H20 (ORCPT <rfc822;cscallsign@gmail.com> + 99 others);
Fri, 30 Dec 2022 02:28:26 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51832 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S234590AbiL3H2V (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 30 Dec 2022 02:28:21 -0500
Received: from m12.mail.163.com (m12.mail.163.com [123.126.96.234])
by lindbergh.monkeyblade.net (Postfix) with ESMTP id 09F5018E08
for <linux-kernel@vger.kernel.org>;
Thu, 29 Dec 2022 23:28:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=BZVBV
RQVrTSn4BzI4JujaZV4qktmUeRF9eHZ5CKmHQM=; b=gJadKLaWCNs+R5dJcOlvU
pXAWaVns4xKQJLjAOu+DCzyNHH7dhJ3pj3HBpKS6uyqCsb9Hz5V5ts2/uazefHoT
t+TzH+ipfiNnAwWJ/KJaRUX3DCOcCdjr1SyFCyCIczbjTBIXcwvMrD8tlF5jnqtg
Ercxuwa3ZpPBCNZF8HhgUQ=
Received: from leanderwang-LC2.localdomain (unknown [111.206.145.21])
by smtp16 (Coremail) with SMTP id MNxpCgCnzzsVk65jw+eMDQ--.25047S2;
Fri, 30 Dec 2022 15:28:21 +0800 (CST)
From: Zheng Wang <zyytlz.wz@163.com>
To: bskeggs@redhat.com
Cc: kherbst@redhat.com, lyude@redhat.com, airlied@gmail.com,
hackerzheng666@gmail.com, alex000young@gmail.com,
security@kernel.org, daniel@ffwll.ch,
dri-devel@lists.freedesktop.org, nouveau@lists.freedesktop.org,
linux-kernel@vger.kernel.org, Zheng Wang <zyytlz.wz@163.com>
Subject: [PATCH] drm/nouveau/mmu: fix Use after Free bug in
nvkm_vmm_node_split
Date: Fri, 30 Dec 2022 15:27:58 +0800
Message-Id: <20221230072758.443644-1-zyytlz.wz@163.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CM-TRANSID: MNxpCgCnzzsVk65jw+eMDQ--.25047S2
X-Coremail-Antispam: 1Uf129KBjvJXoW7GF15Gr48ur17XrW5WryxGrg_yoW8JF4rpF
45uryYvryxuF4Ut340vFy8ur90kan2yFWIk34YvasIvwnxZ3y0vFW5AryUGryrZw4xWw1a
qr4DGr1fWry5ArJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0ziaZXrUUUUU=
X-Originating-IP: [111.206.145.21]
X-CM-SenderInfo: h2113zf2oz6qqrwthudrp/xtbCbxTnU2BbEN8pBAAAsW
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,SPF_HELO_NONE,
SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1753623320410367943?=
X-GMAIL-MSGID: =?utf-8?q?1753623320410367943?=
|
| Series |
drm/nouveau/mmu: fix Use after Free bug in nvkm_vmm_node_split
|
|
Commit Message
Zheng Wang
Dec. 30, 2022, 7:27 a.m. UTC
Here is a function call chain.
nvkm_vmm_pfn_map->nvkm_vmm_pfn_split_merge->nvkm_vmm_node_split
If nvkm_vma_tail return NULL in nvkm_vmm_node_split, it will
finally invoke nvkm_vmm_node_merge->nvkm_vmm_node_delete, which
will free the vma. However, nvkm_vmm_pfn_map didn't notice that.
It goes into next label and UAF happens.
Fix it by returning the return-value of nvkm_vmm_node_merge
instead of NULL.
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Comments
On Fri, 30 Dec 2022 08:27:58 +0100, Zheng Wang wrote: > > Here is a function call chain. > nvkm_vmm_pfn_map->nvkm_vmm_pfn_split_merge->nvkm_vmm_node_split > If nvkm_vma_tail return NULL in nvkm_vmm_node_split, it will > finally invoke nvkm_vmm_node_merge->nvkm_vmm_node_delete, which > will free the vma. However, nvkm_vmm_pfn_map didn't notice that. > It goes into next label and UAF happens. > > Fix it by returning the return-value of nvkm_vmm_node_merge > instead of NULL. > > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> FWIW, CVE-2023-0030 has been assigned to this bug. It's a question whether it really deserves as a security issue, but a bug is a bug... Ben, could you review this please? thanks, Takashi > --- > drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c > index ae793f400ba1..84d6fc87b2e8 100644 > --- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c > +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c > @@ -937,8 +937,8 @@ nvkm_vmm_node_split(struct nvkm_vmm *vmm, > if (vma->size != size) { > struct nvkm_vma *tmp; > if (!(tmp = nvkm_vma_tail(vma, vma->size - size))) { > - nvkm_vmm_node_merge(vmm, prev, vma, NULL, vma->size); > - return NULL; > + tmp = nvkm_vmm_node_merge(vmm, prev, vma, NULL, vma->size); > + return tmp; > } > tmp->part = true; > nvkm_vmm_node_insert(vmm, tmp); > -- > 2.25.1 >
On Tue, 03 Jan 2023 15:07:55 +0100, Takashi Iwai wrote: > > On Fri, 30 Dec 2022 08:27:58 +0100, > Zheng Wang wrote: > > > > Here is a function call chain. > > nvkm_vmm_pfn_map->nvkm_vmm_pfn_split_merge->nvkm_vmm_node_split > > If nvkm_vma_tail return NULL in nvkm_vmm_node_split, it will > > finally invoke nvkm_vmm_node_merge->nvkm_vmm_node_delete, which > > will free the vma. However, nvkm_vmm_pfn_map didn't notice that. > > It goes into next label and UAF happens. > > > > Fix it by returning the return-value of nvkm_vmm_node_merge > > instead of NULL. > > > > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > > FWIW, CVE-2023-0030 has been assigned to this bug. > It's a question whether it really deserves as a security issue, but a > bug is a bug... > > Ben, could you review this please? A gentle ping as reminder. The bug is still present. thanks, Takashi > > > thanks, > > Takashi > > > --- > > drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c > > index ae793f400ba1..84d6fc87b2e8 100644 > > --- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c > > +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c > > @@ -937,8 +937,8 @@ nvkm_vmm_node_split(struct nvkm_vmm *vmm, > > if (vma->size != size) { > > struct nvkm_vma *tmp; > > if (!(tmp = nvkm_vma_tail(vma, vma->size - size))) { > > - nvkm_vmm_node_merge(vmm, prev, vma, NULL, vma->size); > > - return NULL; > > + tmp = nvkm_vmm_node_merge(vmm, prev, vma, NULL, vma->size); > > + return tmp; > > } > > tmp->part = true; > > nvkm_vmm_node_insert(vmm, tmp); > > -- > > 2.25.1 > >
On Fri, Jan 27, 2023 at 01:10:46PM +0100, Takashi Iwai wrote: > On Tue, 03 Jan 2023 15:07:55 +0100, > Takashi Iwai wrote: > > > > On Fri, 30 Dec 2022 08:27:58 +0100, > > Zheng Wang wrote: > > > > > > Here is a function call chain. > > > nvkm_vmm_pfn_map->nvkm_vmm_pfn_split_merge->nvkm_vmm_node_split > > > If nvkm_vma_tail return NULL in nvkm_vmm_node_split, it will > > > finally invoke nvkm_vmm_node_merge->nvkm_vmm_node_delete, which > > > will free the vma. However, nvkm_vmm_pfn_map didn't notice that. > > > It goes into next label and UAF happens. > > > > > > Fix it by returning the return-value of nvkm_vmm_node_merge > > > instead of NULL. > > > > > > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > > > > FWIW, CVE-2023-0030 has been assigned to this bug. > > It's a question whether it really deserves as a security issue, but a > > bug is a bug... > > > > Ben, could you review this please? > > A gentle ping as reminder. The bug is still present. This was also reported in [1]. I had a closer look and FWICT this code is fine and there isn't a bug. Zheng Wang, the reporter of the BZ, also confirmed this to be a false positive from CodeQL. Anyway, here's the explaination I also posted in the BZ: "In nvkm_vmm_node_merge() nvkm_vmm_node_delete() is only called when prev is set. However, prev is NULL unless we enter the "if (vma->addr != addr)" path in nvkm_vmm_node_split(). In such a case the vma pointer, which is also passed to nvkm_vmm_node_merge(), is set to a freshly allocated struct nvkm_vma with nvkm_vma_tail() right before prev is set to the old vma pointer. Hence, the only thing happening there when nvkm_vma_tail() fails in the "if (vma->size != size)" path is that either nvkm_vmm_node_merge() does nothing in case prev wasn't set or it merges and frees the new vma created in the "if (vma->addr != addr)" path. Or in other words the proper cleanup for the error condition is done. I can't see any case where the original vma pointer given by nvkm_vmm_pfn_map() is actually freed." [1] https://bugzilla.redhat.com/show_bug.cgi?id=2157041 - Danilo > > > thanks, > > Takashi > > > > > > > thanks, > > > > Takashi > > > > > --- > > > drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 4 ++-- > > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > > > diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c > > > index ae793f400ba1..84d6fc87b2e8 100644 > > > --- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c > > > +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c > > > @@ -937,8 +937,8 @@ nvkm_vmm_node_split(struct nvkm_vmm *vmm, > > > if (vma->size != size) { > > > struct nvkm_vma *tmp; > > > if (!(tmp = nvkm_vma_tail(vma, vma->size - size))) { > > > - nvkm_vmm_node_merge(vmm, prev, vma, NULL, vma->size); > > > - return NULL; > > > + tmp = nvkm_vmm_node_merge(vmm, prev, vma, NULL, vma->size); > > > + return tmp; > > > } > > > tmp->part = true; > > > nvkm_vmm_node_insert(vmm, tmp); > > > -- > > > 2.25.1 > > > >
On Sat, 28 Jan 2023 03:17:15 +0100, Danilo Krummrich wrote: > > On Fri, Jan 27, 2023 at 01:10:46PM +0100, Takashi Iwai wrote: > > On Tue, 03 Jan 2023 15:07:55 +0100, > > Takashi Iwai wrote: > > > > > > On Fri, 30 Dec 2022 08:27:58 +0100, > > > Zheng Wang wrote: > > > > > > > > Here is a function call chain. > > > > nvkm_vmm_pfn_map->nvkm_vmm_pfn_split_merge->nvkm_vmm_node_split > > > > If nvkm_vma_tail return NULL in nvkm_vmm_node_split, it will > > > > finally invoke nvkm_vmm_node_merge->nvkm_vmm_node_delete, which > > > > will free the vma. However, nvkm_vmm_pfn_map didn't notice that. > > > > It goes into next label and UAF happens. > > > > > > > > Fix it by returning the return-value of nvkm_vmm_node_merge > > > > instead of NULL. > > > > > > > > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > > > > > > FWIW, CVE-2023-0030 has been assigned to this bug. > > > It's a question whether it really deserves as a security issue, but a > > > bug is a bug... > > > > > > Ben, could you review this please? > > > > A gentle ping as reminder. The bug is still present. > > This was also reported in [1]. I had a closer look and FWICT this code is fine > and there isn't a bug. > > Zheng Wang, the reporter of the BZ, also confirmed this to be a false positive > from CodeQL. > > Anyway, here's the explaination I also posted in the BZ: > > "In nvkm_vmm_node_merge() nvkm_vmm_node_delete() is only called when prev is > set. However, prev is NULL unless we enter the "if (vma->addr != addr)" path in > nvkm_vmm_node_split(). In such a case the vma pointer, which is also passed to > nvkm_vmm_node_merge(), is set to a freshly allocated struct nvkm_vma with > nvkm_vma_tail() right before prev is set to the old vma pointer. > > Hence, the only thing happening there when nvkm_vma_tail() fails in the > "if (vma->size != size)" path is that either nvkm_vmm_node_merge() does nothing > in case prev wasn't set or it merges and frees the new vma created in the > "if (vma->addr != addr)" path. Or in other words the proper cleanup for the > error condition is done. > > I can't see any case where the original vma pointer given by nvkm_vmm_pfn_map() > is actually freed." > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=2157041 Thanks for the information! Then we should try to dispute the CVE. I'll ask our security team. Takashi > > - Danilo > > > > > > > thanks, > > > > Takashi > > > > > > > > > > > thanks, > > > > > > Takashi > > > > > > > --- > > > > drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 4 ++-- > > > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > > > > > diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c > > > > index ae793f400ba1..84d6fc87b2e8 100644 > > > > --- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c > > > > +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c > > > > @@ -937,8 +937,8 @@ nvkm_vmm_node_split(struct nvkm_vmm *vmm, > > > > if (vma->size != size) { > > > > struct nvkm_vma *tmp; > > > > if (!(tmp = nvkm_vma_tail(vma, vma->size - size))) { > > > > - nvkm_vmm_node_merge(vmm, prev, vma, NULL, vma->size); > > > > - return NULL; > > > > + tmp = nvkm_vmm_node_merge(vmm, prev, vma, NULL, vma->size); > > > > + return tmp; > > > > } > > > > tmp->part = true; > > > > nvkm_vmm_node_insert(vmm, tmp); > > > > -- > > > > 2.25.1 > > > > > > >
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c index ae793f400ba1..84d6fc87b2e8 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c @@ -937,8 +937,8 @@ nvkm_vmm_node_split(struct nvkm_vmm *vmm, if (vma->size != size) { struct nvkm_vma *tmp; if (!(tmp = nvkm_vma_tail(vma, vma->size - size))) { - nvkm_vmm_node_merge(vmm, prev, vma, NULL, vma->size); - return NULL; + tmp = nvkm_vmm_node_merge(vmm, prev, vma, NULL, vma->size); + return tmp; } tmp->part = true; nvkm_vmm_node_insert(vmm, tmp);