tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

drm/virtio: Fix GEM handle creation UAF

Userspace can guess the handle value and try to race GEM object creation
with handle close, resulting in a use-after-free if we dereference the
object after dropping the handle's reference. For that reason, dropping
the handle's reference must be done *after* we are done dereferencing
the object.

Signed-off-by: Rob Clark <robdclark@chromium.org>
Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
Fixes: 62fb7a5e1096 ("virtio-gpu: add 3d/virgl support")
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20221216233355.542197-2-robdclark@gmail.com

authored by

Rob Clark and committed by
Dmitry Osipenko 52531258 0688773f

+17 -2
+17 -2
drivers/gpu/drm/virtio/virtgpu_ioctl.c
··· 358 358 drm_gem_object_release(obj); 359 359 return ret; 360 360 } 361 - drm_gem_object_put(obj); 362 361 363 362 rc->res_handle = qobj->hw_res_handle; /* similiar to a VM address */ 364 363 rc->bo_handle = handle; 364 + 365 + /* 366 + * The handle owns the reference now. But we must drop our 367 + * remaining reference *after* we no longer need to dereference 368 + * the obj. Otherwise userspace could guess the handle and 369 + * race closing it from another thread. 370 + */ 371 + drm_gem_object_put(obj); 372 + 365 373 return 0; 366 374 } 367 375 ··· 731 723 drm_gem_object_release(obj); 732 724 return ret; 733 725 } 734 - drm_gem_object_put(obj); 735 726 736 727 rc_blob->res_handle = bo->hw_res_handle; 737 728 rc_blob->bo_handle = handle; 729 + 730 + /* 731 + * The handle owns the reference now. But we must drop our 732 + * remaining reference *after* we no longer need to dereference 733 + * the obj. Otherwise userspace could guess the handle and 734 + * race closing it from another thread. 735 + */ 736 + drm_gem_object_put(obj); 738 737 739 738 return 0; 740 739 }