Thank you for pointing out my spelling error. ok, I upload a PoC and compile it to a binary. you can test it. regards, butt3rflyh4ck. On Fri, Jul 10, 2020 at 7:53 PM Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote: > > On Fri, Jul 10, 2020 at 04:24:03PM +0800, butt3rflyh4ck wrote: > > I report a bug (in linux-5.8.0-rc4) found by syzkaller. > > > > kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/v5.8.0-rc4.config > > > > I test the reproducer and crash too. > > > > In the drm_em_vram_t() function, ttm_bo_init() function call > ^^^^^^^^^^^^^ > This a typo. The function name is drm_gem_vram_init(). > > > ttm_bo_init_reserved(), > > the ttm_bo_init_reserved() function call ttm_bo_put(), it will free > > gbo->bo that is struct ttm_buffer_object. > > > > then, goto the err_drm_gem_object_release lable, > > drm_gem_object_release() function will free gbo->bo.base, so cause use > > after free. > > > > There is a third free in drm_gem_vram_create(). This is a triple free > bug. The correct place to free this is in drm_gem_vram_create() because > that's where it was allocated. > > This code is quite subtle so I'm not going to attempt to fix it because > I can't test it. > > regards, > dan carpenter >
Attachment:
uaf-drm_gem_object_release.c
Description: Binary data
Attachment:
uaf-drm_gem_object_release
Description: Binary data
_______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/dri-devel
