Received: by 2002:a05:6358:f14:b0:e5:3b68:ec04 with SMTP id b20csp2251439rwj; Mon, 19 Dec 2022 01:43:15 -0800 (PST) X-Google-Smtp-Source: AA0mqf4GchhQ5ht938yEriWkinDY6MEzASlaLVhKhZpMyFEKHKX9MBolIGJ1LuFZ5AeMmFN1Cef5 X-Received: by 2002:a05:6a20:6918:b0:9d:efc0:62 with SMTP id q24-20020a056a20691800b0009defc00062mr69694303pzj.10.1671442994776; Mon, 19 Dec 2022 01:43:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1671442994; cv=none; d=google.com; s=arc-20160816; b=wqshXoMrwqBNvEyj2xR3/Yz+zPXmho7+glEbLRA5UOKP3+i1zdqx10AFisExxxhzew unAaFGbsdRdBE57vBLv6hghgpoFURdRPWtRzjXUktcqAsRCMw8sM1tguYYQa7k254hsX GEjnWeotHrxEXbFoWZ3fos1RKTWznvcyB8JM1CDWL3Jh0PLxhs7yawt2+iZ2CR9qiX+z Rx0yQaYowoTXVbj+d58Cla25ErhG6H4ppHFx3tucPEWYBQw+zj9i6wlYYmoTWIbX9xmO VXXP3M/anBIN4pbjczQSKAQg2e74I0n+7xD9Uxg20fcQQ44fM9fg8R74wHKAQ5YXQJlF itCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Hzd8lf6HY4y2Yw9uc+TdTUhpidkvFZA9uoCnx/ZjXJY=; b=JT7MoiN6FIskp8zGqkxvXwlE+8LGujMcQ3tIoFfgQZ93ZDzxd7na4Ly91A8xLVvPJ2 pIh9yu1lXrUeRduALLYCcbOqyUiH/t6Y43Cdb1s+T7whtvXjAcegUi7PsBTFnHVoBm45 TEcPZsgfOt3Uwc2aeSe5bMphBrNBk0IlNjGekoGjN55oVcPOrye3K0GcY/rwwwNN6jzD 5I3ROdASYfQ02xP36uu55dXXgxbIdULShza8Xu+2izD+jhh/+QoK9hCvZr9xaMOimaXi ysbmqm9D5VlyeZDeL8MiN87ysAlbJ0j3tyGChLmUxs1M3En+f2HF3L/+Hcj3zCSoUNx4 AeXg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=UykVbeZa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l64-20020a639143000000b00476837b4138si10491190pge.800.2022.12.19.01.43.05; Mon, 19 Dec 2022 01:43:14 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=UykVbeZa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231438AbiLSIOP (ORCPT + 70 others); Mon, 19 Dec 2022 03:14:15 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50316 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229499AbiLSION (ORCPT ); Mon, 19 Dec 2022 03:14:13 -0500 X-Greylist: delayed 945 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Mon, 19 Dec 2022 00:14:11 PST Received: from m12.mail.163.com (m12.mail.163.com [220.181.12.197]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 5FC2D5FFD for ; Mon, 19 Dec 2022 00:14:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=Hzd8l f6HY4y2Yw9uc+TdTUhpidkvFZA9uoCnx/ZjXJY=; b=UykVbeZaZcR2s+sQubBlD Gsa9w0ba/ivcEYX4AGmLCBHWkNum3qHH7OBFjoLsIYujCvedluxNUWSVNHUlaroz Q0iyNvwrBN79oTsgcnXNWLLTwnqEmcU2h01h768tl/HLe+vuhCvPofLHwxEz6D/T 47DERHVVrrH/n4IXvrHRHA= Received: from leanderwang-LC2.localdomain (unknown [111.206.145.21]) by zwqz-smtp-mta-g0-2 (Coremail) with SMTP id _____wCXjF1NGaBjOMpSAA--.24784S2; Mon, 19 Dec 2022 15:57:02 +0800 (CST) From: Zheng Wang To: zhi.a.wang@intel.com Cc: 1002992920@qq.com, airlied@gmail.com, airlied@linux.ie, alex000young@gmail.com, dri-devel@lists.freedesktop.org, gregkh@linuxfoundation.org, hackerzheng666@gmail.com, intel-gfx@lists.freedesktop.org, intel-gvt-dev@lists.freedesktop.org, joonas.lahtinen@linux.intel.com, linux-kernel@vger.kernel.org, security@kernel.org, tvrtko.ursulin@linux.intel.com, zhenyuw@linux.intel.com, zyytlz.wz@163.com Subject: Re: [Intel-gfx] [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry Date: Mon, 19 Dec 2022 15:57:00 +0800 Message-Id: <20221219075700.220058-1-zyytlz.wz@163.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID: _____wCXjF1NGaBjOMpSAA--.24784S2 X-Coremail-Antispam: 1Uf129KBjvdXoW7GF48GF45Kr43KF4UtFWDurg_yoWfZFc_uF yxCwn7Cw1DJFsxWw43tFnxXr409rn5XrZ2g3yFvrW7GasrZFnrWas3J3sIgrs7t393KrW5 Kr4DXrWjvryj9jkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUvcSsGvfC2KfnxnUUI43ZEXa7sRtMKCJUUUUU== X-Originating-IP: [111.206.145.21] X-CM-SenderInfo: h2113zf2oz6qqrwthudrp/1tbiQhHcU1aED4R+7wAAsU X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Zhi, Thanks again for your reply and clear explaination about the function. I still have some doubt about the fix. Here is a invoke chain : ppgtt_populate_spt ->ppgtt_populate_shadow_entry ->split_2MB_gtt_entry As far as I'm concerned, when something error happens in DMA mapping, which will make intel_gvt_dma_map_guest_page return none-zero code, It will invoke ppgtt_invalidate_spt and call ppgtt_free_spt,which will finally free spt by kfree. But the caller doesn't notice that and frees spt by calling ppgtt_free_spt again. This is a typical UAF/Double Free vulnerability. So I think the key point is about how to handle spt properly. The handle newly allocated spt (aka sub_spt) is not the root cause of this issue. Could you please give me more advice about how to fix this security bug? Besides, I'm not sure if there are more similar problems in othe location. Best regards, Zheng Wang -- 2.25.1