Re: [PATCH] drm/xe/tracing: Fix a potential TP_printk UAF

Matthew Brost <matthew.brost@xxxxxxxxx> · Mon, 23 Dec 2024 07:44:56 -0800

On Mon, Dec 23, 2024 at 02:42:50PM +0100, Thomas Hellström wrote:
> The commit
> afd2627f727b ("tracing: Check "%s" dereference via the field and not the TP_printk format")
> exposes potential UAFs in the xe_bo_move trace event.
> 
> Fix those by avoiding dereferencing the
> xe_mem_type_to_name[] array at TP_printk time.
> 
> Since some code refactoring has taken place, explicit backporting may
> be needed for kernels older than 6.10.
> 
> Fixes: e46d3f813abd ("drm/xe/trace: Extract bo, vm, vma traces")
> Cc: Gustavo Sousa <gustavo.sousa@xxxxxxxxx>
> Cc: Lucas De Marchi <lucas.demarchi@xxxxxxxxx>
> Cc: Radhakrishna Sripada <radhakrishna.sripada@xxxxxxxxx>
> Cc: Matt Roper <matthew.d.roper@xxxxxxxxx>
> Cc: "Thomas Hellström" <thomas.hellstrom@xxxxxxxxxxxxxxx>
> Cc: Rodrigo Vivi <rodrigo.vivi@xxxxxxxxx>
> Cc: intel-xe@xxxxxxxxxxxxxxxxxxxxx
> Cc: <stable@xxxxxxxxxxxxxxx> # v6.11+
> Signed-off-by: Thomas Hellström <thomas.hellstrom@xxxxxxxxxxxxxxx>
> ---
>  drivers/gpu/drm/xe/xe_trace_bo.h | 12 ++++++------
>  1 file changed, 6 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/gpu/drm/xe/xe_trace_bo.h b/drivers/gpu/drm/xe/xe_trace_bo.h
> index 1762dd30ba6d..ea50fee50c7d 100644
> --- a/drivers/gpu/drm/xe/xe_trace_bo.h
> +++ b/drivers/gpu/drm/xe/xe_trace_bo.h
> @@ -60,8 +60,8 @@ TRACE_EVENT(xe_bo_move,
>  	    TP_STRUCT__entry(
>  		     __field(struct xe_bo *, bo)
>  		     __field(size_t, size)
> -		     __field(u32, new_placement)
> -		     __field(u32, old_placement)
> +		     __string(new_placement_name, xe_mem_type_to_name[new_placement])
> +		     __string(old_placement_name, xe_mem_type_to_name[old_placement])
>  		     __string(device_id, __dev_name_bo(bo))
>  		     __field(bool, move_lacks_source)
>  			),
> @@ -69,15 +69,15 @@ TRACE_EVENT(xe_bo_move,
>  	    TP_fast_assign(
>  		   __entry->bo      = bo;
>  		   __entry->size = bo->size;
> -		   __entry->new_placement = new_placement;
> -		   __entry->old_placement = old_placement;
> +		   __assign_str(new_placement_name);
> +		   __assign_str(old_placement_name);
>  		   __assign_str(device_id);
>  		   __entry->move_lacks_source = move_lacks_source;
>  		   ),
>  	    TP_printk("move_lacks_source:%s, migrate object %p [size %zu] from %s to %s device_id:%s",
>  		      __entry->move_lacks_source ? "yes" : "no", __entry->bo, __entry->size,
> -		      xe_mem_type_to_name[__entry->old_placement],
> -		      xe_mem_type_to_name[__entry->new_placement], __get_str(device_id))

So is this the UAF? i.e., The Xe module unloads and xe_mem_type_to_name
is gone?

I noticed that xe_mem_type_to_name is not static, it likely should be.
Would that help here?

Matt

> +		      __get_str(old_placement_name),
> +		      __get_str(new_placement_name), __get_str(device_id))
>  );
>  
>  DECLARE_EVENT_CLASS(xe_vma,
> -- 
> 2.47.1
> 