Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp234764pxb; Wed, 18 Aug 2021 00:42:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxRuiJZyN2c85HPOKjXacb7urvBLQxDzO1jJFnSbpfvXu6qnI+14g9rHsaJ3nN2Wgug1UUG X-Received: by 2002:aa7:ccc1:: with SMTP id y1mr8618196edt.321.1629272579280; Wed, 18 Aug 2021 00:42:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629272579; cv=none; d=google.com; s=arc-20160816; b=v4nZI+x7kqX3/q/bZ4GjyI9CKb8qpgRvwmjKBa1w5kPGmr396zMFaMGfACZ+LCh1KS 6sfT40arydO14R0+ti/Kbydlval0/nbc6P5C9AhXmQkv3CDluYsWiS20ZYA3/sCb33SL 6XyTn6LAyHTX3pL6wykY+sxsL1/qd+q3UJ37BUjs3JBS/+Z5D/rfcqQhSWMF8vtaInhD 2t/Y0JXfZljWwjB++00+CDlftloE4iEJDDp2+Q5JilVNRe1FnbGqg17duu9xlKu3CGfZ okmVMkuwtIxXfgjLjhrs6w2ZfxnIinrwAeOq5cQOQ7yskWon5Ssw/PFA+yLvA2Fp29lG 7U+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=mFOgIpjzv+0bmcGv4vm2OOJINfqELHBLGwipgYh0veE=; b=vJ++XTKeeaAoKAcTd+QCKvh7SgBa4Ii+QNJessMrgLj1Q2SMzQVx56aCfHvwNBhp3o 3iCyZX5HWsJX2HF6OwIE3U+gCn3R1TWmlBrjMWwp0BpFCOpX+hICqipm4flw0vIpfjGJ Noz4FjefFPd4cecfS4kzSwmE6yYS09HbTF/PJFVpj396yKi5fip+qMKmzhL+lrSdcmII CnHtTyRX8Iq7ZOVdLjW6CMME++mu8w+D0P0h93VKKB9x2zL/8yuWAXV+2b1UIzCjOrWa E3NCfEZZsJIHoNq2AJAnIHB8ayVjnqGupvochyNFTq34iHiWmFTmbViPWT0p+kGiwBfS 2+/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=o+x1KZlk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w16si5358044ejb.337.2021.08.18.00.42.36; Wed, 18 Aug 2021 00:42:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=o+x1KZlk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239265AbhHRHlZ (ORCPT + 99 others); Wed, 18 Aug 2021 03:41:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38042 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239118AbhHRHlV (ORCPT ); Wed, 18 Aug 2021 03:41:21 -0400 Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1B551C061764; Wed, 18 Aug 2021 00:40:47 -0700 (PDT) Received: by mail-pf1-x42c.google.com with SMTP id y11so1269434pfl.13; Wed, 18 Aug 2021 00:40:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=mFOgIpjzv+0bmcGv4vm2OOJINfqELHBLGwipgYh0veE=; b=o+x1KZlkVTKqKNyo5p3TLMCoT0qWpyoPnNTtq+ITkI4Pzgmqcny9JnnM6+BU32Ic++ NIHLgw53T6dLUv4xSKK8r51aNniDvQ256JSzhIFWVVBCxd8yiYCtzftljjsKNkgI5T9a uVuTiOrkTpn378RVUD7dUnndTDVWNJOnjwXaJrR5wihPkrhlaezlgg83nqDCMXWOY1Ww C+8x5Ub+11oRbFZInkBkF8WSnGMY9Yui8rSGNBlTPjq5y4kkvfCGzvD5Y9Dn0cG8nEL9 3Bm8bUE/ETlXNItyff701RIdDHlHTrmfLXV2HgwhJy2IE1LVstkrXOJwBlc2/60be+zB SLrQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=mFOgIpjzv+0bmcGv4vm2OOJINfqELHBLGwipgYh0veE=; b=bPsJQZ9wBRJut8DHkw6wzHFAmWgECGONTOVKz3WLcQAjaK521UnjXj7jrrg4Q0XBkj niEA0j2NBx3F7lRhJVjZM/BHc1UzXr5E1DnDTcQ18VkAsv4Tfg66rO1h/tFRiDDiU1yx gx+AjhEIdgJFtYtWyM/ZDTbFIW+qfetmia4IQQSlW0kuSS1WCK9DxYx8qh6abMO0Uvdo ZROrH1oDmPMYicJx90tG0MCuZu59FZUUs5aobDc7mGq2SsXlC5MX31bBlMSAK6Poxby1 88Xhp65D+qhZexeJYKDXcdNwVJSNSQis/ltkBbdjscaweVGJy0+m3w6Wq9kFgmg70bLL jF9A== X-Gm-Message-State: AOAM530H8J+r4v91puhUr09x4ptSWTJ3I9wS7Eg4dTfgZ3vGz1POnCzP yxsm3Mi3i+552jutw0W34LQ= X-Received: by 2002:a63:b1a:: with SMTP id 26mr7471369pgl.12.1629272446700; Wed, 18 Aug 2021 00:40:46 -0700 (PDT) Received: from localhost.localdomain ([118.200.190.93]) by smtp.gmail.com with ESMTPSA id u3sm3886729pjr.2.2021.08.18.00.40.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Aug 2021 00:40:46 -0700 (PDT) From: Desmond Cheong Zhi Xi To: maarten.lankhorst@linux.intel.com, mripard@kernel.org, tzimmermann@suse.de, airlied@linux.ie, daniel@ffwll.ch, sumit.semwal@linaro.org, christian.koenig@amd.com, axboe@kernel.dk, oleg@redhat.com, tglx@linutronix.de, dvyukov@google.com, walter-zh.wu@mediatek.com Cc: Desmond Cheong Zhi Xi , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, intel-gfx@lists.freedesktop.org, linux-media@vger.kernel.org, linaro-mm-sig@lists.linaro.org, skhan@linuxfoundation.org, gregkh@linuxfoundation.org, linux-kernel-mentees@lists.linuxfoundation.org Subject: [PATCH v3 4/9] drm: fix potential null ptr dereferences in drm_{auth,ioctl} Date: Wed, 18 Aug 2021 15:38:19 +0800 Message-Id: <20210818073824.1560124-5-desmondcheongzx@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210818073824.1560124-1-desmondcheongzx@gmail.com> References: <20210818073824.1560124-1-desmondcheongzx@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org There are three areas where we dereference struct drm_master without checking if the pointer is non-NULL. 1. drm_getmagic is called from the ioctl_handler. Since DRM_IOCTL_GET_MAGIC has no ioctl flags, drm_getmagic is run without any check that drm_file.master has been set. 2. Similarly, drm_getunique is called from the ioctl_handler, but DRM_IOCTL_GET_UNIQUE has no ioctl flags. So there is no guarantee that drm_file.master has been set. 3. drm_master_release can also be called without having a drm_file.master set. Here is one error path: drm_open(): drm_open_helper(): drm_master_open(): drm_new_set_master(); <--- returns -ENOMEM, drm_file.master not set drm_file_free(): drm_master_release(); <--- NULL ptr dereference (file_priv->master->magic_map) Fix these by checking if the master pointers are NULL before use. Signed-off-by: Desmond Cheong Zhi Xi --- drivers/gpu/drm/drm_auth.c | 16 ++++++++++++++-- drivers/gpu/drm/drm_ioctl.c | 5 +++++ 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c index f9267b21556e..b7230604496b 100644 --- a/drivers/gpu/drm/drm_auth.c +++ b/drivers/gpu/drm/drm_auth.c @@ -95,11 +95,18 @@ EXPORT_SYMBOL(drm_is_current_master); int drm_getmagic(struct drm_device *dev, void *data, struct drm_file *file_priv) { struct drm_auth *auth = data; + struct drm_master *master; int ret = 0; mutex_lock(&dev->master_mutex); + master = file_priv->master; + if (!master) { + mutex_unlock(&dev->master_mutex); + return -EINVAL; + } + if (!file_priv->magic) { - ret = idr_alloc(&file_priv->master->magic_map, file_priv, + ret = idr_alloc(&master->magic_map, file_priv, 1, 0, GFP_KERNEL); if (ret >= 0) file_priv->magic = ret; @@ -355,8 +362,12 @@ void drm_master_release(struct drm_file *file_priv) mutex_lock(&dev->master_mutex); master = file_priv->master; + + if (!master) + goto unlock; + if (file_priv->magic) - idr_remove(&file_priv->master->magic_map, file_priv->magic); + idr_remove(&master->magic_map, file_priv->magic); if (!drm_is_current_master_locked(file_priv)) goto out; @@ -379,6 +390,7 @@ void drm_master_release(struct drm_file *file_priv) drm_master_put(&file_priv->master); spin_unlock(&dev->master_lookup_lock); } +unlock: mutex_unlock(&dev->master_mutex); } diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c index 26f3a9ede8fe..4d029d3061d9 100644 --- a/drivers/gpu/drm/drm_ioctl.c +++ b/drivers/gpu/drm/drm_ioctl.c @@ -121,6 +121,11 @@ int drm_getunique(struct drm_device *dev, void *data, mutex_lock(&dev->master_mutex); master = file_priv->master; + if (!master) { + mutex_unlock(&dev->master_mutex); + return -EINVAL; + } + if (u->unique_len >= master->unique_len) { if (copy_to_user(u->unique, master->unique, master->unique_len)) { mutex_unlock(&dev->master_mutex); -- 2.25.1