From patchwork Mon Oct 1 15:31:17 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 10623065 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 232BB14BD for ; Tue, 2 Oct 2018 06:52:56 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EECBB28734 for ; Tue, 2 Oct 2018 06:52:55 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E2E0128737; Tue, 2 Oct 2018 06:52:55 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id A270E28734 for ; Tue, 2 Oct 2018 06:52:55 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 343C06E28F; Tue, 2 Oct 2018 06:51:57 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mail-qt1-x84a.google.com (mail-qt1-x84a.google.com [IPv6:2607:f8b0:4864:20::84a]) by gabe.freedesktop.org (Postfix) with ESMTPS id 121006E215 for ; Mon, 1 Oct 2018 15:31:23 +0000 (UTC) Received: by mail-qt1-x84a.google.com with SMTP id m1-v6so3599438qtb.18 for ; Mon, 01 Oct 2018 08:31:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=b12hY9rsC65YWw5Ssm5MZ1/8YLuu+f6XdUruah2EdEs=; b=WppIdk5jfIwRh2d0LgLnScCcXZWZnRGU/SjAH7Jiw7aFk0JwJdB2T/vhXyrUxuW2r1 Fhzzr2TKEDrSTPpoTWeVwLZxK+QEbZTocp2TbX9QcQzcQcsSeta+8DaVx+GFpmZ9sUn6 W4L5Ypsl676BYmE65H60AeoH4I4IMzN/80Dc82/kiAeNyyZIDys6WnHgSRGrRyKWn4Ct KZkIsEsONsTouLkjUh/nSVyn/GKHgVZh8zTBc27b1CIfjvKFNyxm5+lxFQfkqnNd+bZG edoe+p4NlJF+NzFEJEiQU6ab0LJCVfjBZfzsSznIN4Nr21FQTLx7OHxNMs984I1C/Ugb 4Mww== X-Gm-Message-State: ABuFfoghoMljs7MjUg4vRPMonpCrYIdTR57s5wwfEDg4usmGm9jiL5yf NdYG6qeCwZcsld7P+ACVoYpdI8zT4Q== X-Google-Smtp-Source: ACcGV60a3St0XvEEQSfJCAn0zcf/lXprW1gZijoWlDOezlNpIVbUaJljf5klZHt9c6uGjOTXwcZW4Bhzgw== X-Received: by 2002:a37:109c:: with SMTP id 28-v6mr8679609qkq.38.1538407882290; Mon, 01 Oct 2018 08:31:22 -0700 (PDT) Date: Mon, 1 Oct 2018 17:31:17 +0200 Message-Id: <20181001153117.216923-1-jannh@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.19.0.605.g01d371f741-goog Subject: [PATCH] drm: fix use-after-free read in drm_mode_create_lease_ioctl() From: Jann Horn To: Keith Packard , Dave Airlie , David Airlie , dri-devel@lists.freedesktop.org, jannh@google.com X-Mailman-Approved-At: Tue, 02 Oct 2018 06:51:51 +0000 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-kernel@vger.kernel.org, Kees Cook Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP fd_install() moves the reference given to it into the file descriptor table of the current process. If the current process is multithreaded, then immediately after fd_install(), another thread can close() the file descriptor and cause the file's resources to be cleaned up. Since the reference to "lessee" is held by the file, we must not access "lessee" after the fd_install() call. As far as I can tell, to reach this codepath, the caller must have an open file descriptor to a DRI device in master mode. I'm not sure what the requirements for that are. Signed-off-by: Jann Horn Fixes: 62884cd386b8 ("drm: Add four ioctls for managing drm mode object leases [v7]") Cc: stable@vger.kernel.org --- I'm not sure how to actually use this ioctl, so I have neither verified the bug experimentally nor experimentally verified the fix. I would appreciate it if someone could confirm my analysis. There have been a number of fd_install() bugs over time; I think it's probably time to rename fd_install() to fd_install_dropref(), or something like that. drivers/gpu/drm/drm_lease.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/drm_lease.c b/drivers/gpu/drm/drm_lease.c index b54fb78a283c..b82da96ded5c 100644 --- a/drivers/gpu/drm/drm_lease.c +++ b/drivers/gpu/drm/drm_lease.c @@ -566,14 +566,14 @@ int drm_mode_create_lease_ioctl(struct drm_device *dev, lessee_priv->is_master = 1; lessee_priv->authenticated = 1; - /* Hook up the fd */ - fd_install(fd, lessee_file); - /* Pass fd back to userspace */ DRM_DEBUG_LEASE("Returning fd %d id %d\n", fd, lessee->lessee_id); cl->fd = fd; cl->lessee_id = lessee->lessee_id; + /* Hook up the fd */ + fd_install(fd, lessee_file); + DRM_DEBUG_LEASE("drm_mode_create_lease_ioctl succeeded\n"); return 0;