2019-07-09 06:59:45

by Janusz Krzysztofik

[permalink] [raw]
Subject: [PATCH] drm/i915: Fix reporting of size of created GEM object

Commit e163484afa8d ("drm/i915: Update size upon return from
GEM_CREATE") (re)introduced reporting of actual size of created GEM
objects, possibly rounded up on object alignment. Unfortunately, its
implementation resulted in a possible use-after-free bug. The bug has
been fixed by commit 929eec99f5fd ("drm/i915: Avoid use-after-free in
reporting create.size") at the cost of possibly incorrect value being
reported as actual object size.

Safely restore correct reporting by capturing actual size of created
GEM object before a reference to the object is put.

Fixes: 929eec99f5fd ("drm/i915: Avoid use-after-free in reporting create.size")
Signed-off-by: Janusz Krzysztofik <[email protected]>
---
drivers/gpu/drm/i915/i915_gem.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index 7ade42b8ec99..16bae5870d6f 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -171,6 +171,7 @@ i915_gem_create(struct drm_file *file,
obj = i915_gem_object_create_shmem(dev_priv, size);
if (IS_ERR(obj))
return PTR_ERR(obj);
+ size = obj->base.size;

ret = drm_gem_handle_create(file, &obj->base, &handle);
/* drop reference from allocate - handle holds it now */
--
2.21.0


2019-07-09 07:06:59

by Chris Wilson

[permalink] [raw]
Subject: Re: [PATCH] drm/i915: Fix reporting of size of created GEM object

Quoting Janusz Krzysztofik (2019-07-09 07:58:00)
> Commit e163484afa8d ("drm/i915: Update size upon return from
> GEM_CREATE") (re)introduced reporting of actual size of created GEM
> objects, possibly rounded up on object alignment. Unfortunately, its
> implementation resulted in a possible use-after-free bug. The bug has
> been fixed by commit 929eec99f5fd ("drm/i915: Avoid use-after-free in
> reporting create.size") at the cost of possibly incorrect value being
> reported as actual object size.
>
> Safely restore correct reporting by capturing actual size of created
> GEM object before a reference to the object is put.
>
> Fixes: 929eec99f5fd ("drm/i915: Avoid use-after-free in reporting create.size")

This doesn't do anything.
-Chris