Hi,
can we have ack? or we need to do anything further to get r-o-b.
Thanks,
Mastan
-----Original Message-----
From: Katragadda, MastanX
Sent: 09 March 2022 07:16
To: Auld, Matthew <matthew.auld@xxxxxxxxx>; Tvrtko Ursulin <tvrtko.ursulin@xxxxxxxxxxxxxxx>; intel-gfx@xxxxxxxxxxxxxxxxxxxxx
Cc: Surendrakumar Upadhyay, TejaskumarX <tejaskumarx.surendrakumar.upadhyay@xxxxxxxxx>
Subject: RE: [v2] drm/i915/gem: missing boundary check in vm_access leads to OOB read/write
On 03/03/2022 09:00, Tvrtko Ursulin wrote:
>
> + Matt
>
> On 03/03/2022 06:04, Mastan Katragadda wrote:
>> Intel ID: PSIRT-PTK0002429
>>
>> A missing bounds check in vm_access()can lead to an out-of-bounds
>> read or write in the adjacent memory area.The len attribute is not
>> validated before the memcpy at [1]or [2] occurs.
>
> s/[1]or [2]/later in the function/ ?
>
>>
>> [ 183.637831] BUG: unable to handle page fault for address:
>> ffffc90000c86000
>> [ 183.637934] #PF: supervisor read access in kernel mode [
>> 183.637997] #PF: error_code(0x0000) - not-present page [ 183.638059]
>> PGD 100000067 P4D 100000067 PUD 100258067 PMD 106341067 PTE 0 [
>> 183.638144] Oops: 0000 [#2] PREEMPT SMP NOPTI
>> [ 183.638201] CPU: 3 PID: 1790 Comm: poc Tainted: G D
>> 5.17.0-rc6-ci-drm-11296+ #1
>> [ 183.638298] Hardware name: Intel Corporation CoffeeLake Client
>> Platform/CoffeeLake H DDR4 RVP, BIOS CNLSFWR1.R00.X208.B00.1905301319
>> 05/30/2019
>> [ 183.638430] RIP: 0010:memcpy_erms+0x6/0x10 [ 183.640213] RSP:
>> 0018:ffffc90001763d48 EFLAGS: 00010246 [ 183.641117] RAX:
>> ffff888109c14000 RBX: ffff888111bece40 RCX:
>> 0000000000000ffc
>> [ 183.642029] RDX: 0000000000001000 RSI: ffffc90000c86000 RDI:
>> ffff888109c14004
>> [ 183.642946] RBP: 0000000000000ffc R08: 800000000000016b R09:
>> 0000000000000000
>> [ 183.643848] R10: ffffc90000c85000 R11: 0000000000000048 R12:
>> 0000000000001000
>> [ 183.644742] R13: ffff888111bed190 R14: ffff888109c14000 R15:
>> 0000000000001000
>> [ 183.645653] FS: 00007fe5ef807540(0000) GS:ffff88845b380000(0000)
>> knlGS:0000000000000000
>> [ 183.646570] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [
>> 183.647481] CR2: ffffc90000c86000 CR3: 000000010ff02006 CR4:
>> 00000000003706e0
>> [ 183.648384] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
>> 0000000000000000
>> [ 183.649271] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
>> 0000000000000400
>> [ 183.650142] Call Trace:
>> [ 183.650988] <TASK>
>> [ 183.651793] vm_access+0x1f0/0x2a0 [i915] [ 183.652726]
>> __access_remote_vm+0x224/0x380 [ 183.653561]
>> mem_rw.isra.0+0xf9/0x190 [ 183.654402] vfs_read+0x9d/0x1b0 [
>> 183.655238] ksys_read+0x63/0xe0 [ 183.656065]
>> do_syscall_64+0x38/0xc0 [ 183.656882]
>> entry_SYSCALL_64_after_hwframe+0x44/0xae
>> [ 183.657663] RIP: 0033:0x7fe5ef725142 [ 183.659351] RSP:
>> 002b:00007ffe1e81c7e8 EFLAGS: 00000246 ORIG_RAX:
>> 0000000000000000
>> [ 183.660227] RAX: ffffffffffffffda RBX: 0000557055dfb780 RCX:
>> 00007fe5ef725142
>> [ 183.661104] RDX: 0000000000001000 RSI: 00007ffe1e81d880 RDI:
>> 0000000000000005
>> [ 183.661972] RBP: 00007ffe1e81e890 R08: 0000000000000030 R09:
>> 0000000000000046
>> [ 183.662832] R10: 0000557055dfc2e0 R11: 0000000000000246 R12:
>> 0000557055dfb1c0
>> [ 183.663691] R13: 00007ffe1e81e980 R14: 0000000000000000 R15:
>> 0000000000000000
>> [ 183.664566] </TASK>
>>
>> Changes since v1:
>> - Updated if condition with range_overflows_t [Chris Wilson]
>>
>> Signed-off-by: Mastan Katragadda <mastanx.katragadda@xxxxxxxxx>
>> Suggested-by: Adam Zabrocki <adamza@xxxxxxxxxxxxx>
>> Reported-by: Jackson Cody <cody.jackson@xxxxxxxxx>
>> Cc: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx>
>> Cc: Bloomfield Jon <jon.bloomfield@xxxxxxxxx>
>> Cc: Dutt Sudeep <sudeep.dutt@xxxxxxxxx>
>
> Fixes: 9f909e215fea ("drm/i915: Implement vm_ops->access for gdb
> access into mmaps")
> Cc: <stable@xxxxxxxxxxxxxxx> # v5.8+
>
> Right?
>
> There was a selftest added with the referenced patch and it sounds
> like it would be a good idea to extend it to cover this scenario. As
> a separate patch though so this one is easy to backport.
Agreed, a simple regression test(either selftest or igt) for this would be nice, if possible.
>
> Regards,
>
> Tvrtko
>
>> ---
>> drivers/gpu/drm/i915/gem/i915_gem_mman.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/i915/gem/i915_gem_mman.c
>> b/drivers/gpu/drm/i915/gem/i915_gem_mman.c
>> index efe69d6b86f4..c3ea243d414d 100644
>> --- a/drivers/gpu/drm/i915/gem/i915_gem_mman.c
>> +++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.c
>> @@ -455,7 +455,7 @@ vm_access(struct vm_area_struct *area, unsigned
>> long addr,
>> return -EACCES;
>> addr -= area->vm_start;
>> - if (addr >= obj->base.size)
>> + if (range_overflows_t(u64, addr, len, obj->base.size))
>> return -EINVAL;
Other users like ttm_bo_vm_access are also checking if len <= 0, should we also add an explicit check for that here? Otherwise LGTM.
I think no need to add here len<=0, we already validating same range_overflows_t . converted following condition to range_overflow_t.
if (len < 1 || len > obj->base.size ||
addr >= obj->base.size ||
addr + len > obj->base.size)
>> i915_gem_ww_ctx_init(&ww, true);
