RE: [PATCH] drm/xe/tracing: Fix a potential TP_printk UAF

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----Original Message-----
From: Thomas Hellström <thomas.hellstrom@xxxxxxxxxxxxxxx> 
Sent: Monday, December 23, 2024 7:57 AM
To: Cavitt, Jonathan <jonathan.cavitt@xxxxxxxxx>; intel-xe@xxxxxxxxxxxxxxxxxxxxx
Cc: Sousa, Gustavo <gustavo.sousa@xxxxxxxxx>; De Marchi, Lucas <lucas.demarchi@xxxxxxxxx>; Radhakrishna Sripada <radhakrishna.sripada@xxxxxxxxx>; Roper, Matthew D <matthew.d.roper@xxxxxxxxx>; Vivi, Rodrigo <rodrigo.vivi@xxxxxxxxx>; stable@xxxxxxxxxxxxxxx
Subject: Re: [PATCH] drm/xe/tracing: Fix a potential TP_printk UAF
> 
> On Mon, 2024-12-23 at 15:44 +0000, Cavitt, Jonathan wrote:
> > -----Original Message-----
> > From: Intel-xe <intel-xe-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of
> > Thomas Hellström
> > Sent: Monday, December 23, 2024 5:43 AM
> > To: intel-xe@xxxxxxxxxxxxxxxxxxxxx
> > Cc: Thomas Hellström <thomas.hellstrom@xxxxxxxxxxxxxxx>; Sousa,
> > Gustavo <gustavo.sousa@xxxxxxxxx>; De Marchi, Lucas
> > <lucas.demarchi@xxxxxxxxx>; Radhakrishna Sripada
> > <radhakrishna.sripada@xxxxxxxxx>; Roper, Matthew D
> > <matthew.d.roper@xxxxxxxxx>; Vivi, Rodrigo <rodrigo.vivi@xxxxxxxxx>;
> > stable@xxxxxxxxxxxxxxx
> > Subject: [PATCH] drm/xe/tracing: Fix a potential TP_printk UAF
> > > 
> > > The commit
> > > afd2627f727b ("tracing: Check "%s" dereference via the field and
> > > not the TP_printk format")
> > > exposes potential UAFs in the xe_bo_move trace event.
> > > 
> > > Fix those by avoiding dereferencing the
> > > xe_mem_type_to_name[] array at TP_printk time.
> > > 
> > > Since some code refactoring has taken place, explicit backporting
> > > may
> > > be needed for kernels older than 6.10.
> > > 
> > > Fixes: e46d3f813abd ("drm/xe/trace: Extract bo, vm, vma traces")
> > > Cc: Gustavo Sousa <gustavo.sousa@xxxxxxxxx>
> > > Cc: Lucas De Marchi <lucas.demarchi@xxxxxxxxx>
> > > Cc: Radhakrishna Sripada <radhakrishna.sripada@xxxxxxxxx>
> > > Cc: Matt Roper <matthew.d.roper@xxxxxxxxx>
> > > Cc: "Thomas Hellström" <thomas.hellstrom@xxxxxxxxxxxxxxx>
> > > Cc: Rodrigo Vivi <rodrigo.vivi@xxxxxxxxx>
> > > Cc: intel-xe@xxxxxxxxxxxxxxxxxxxxx
> > > Cc: <stable@xxxxxxxxxxxxxxx> # v6.11+
> > > Signed-off-by: Thomas Hellström <thomas.hellstrom@xxxxxxxxxxxxxxx>
> > 
> > I take it we're hitting the WARN_ONCE in ignore_event due to a
> > test_safe_str failure?
> 
> Actually it's the WARN_ONCE in test_event_printk()
> 
> if (WARN_ON_ONCE(dereference_flags)) {

Ah, I see.

There's a comment above that WARN_ON_ONCE as well, and it
more or less recommends the same actions, albeit with less
specificity.  My RB still stands.
-Jonathan Cavitt

> 
> 
> > I don't know about us hitting a UAF here, but this fix is exactly
> > what was recommended
> > in the comment immediately above the WARN_ONCE that we shouldn't be
> > hitting, so
> > this is probably correct if that's what we're trying to avoid.
> 
> I'll double-check to see if I can easily trigger the UAF.
> 
> 
> > Reviewed-by: Jonathan Cavitt <jonathan.cavitt@xxxxxxxxx>
> 
> Thanks,
> Thomas
> 
> 
> > -Jonathan Cavitt
> > 
> > > ---
> > >  drivers/gpu/drm/xe/xe_trace_bo.h | 12 ++++++------
> > >  1 file changed, 6 insertions(+), 6 deletions(-)
> > > 
> > > diff --git a/drivers/gpu/drm/xe/xe_trace_bo.h
> > > b/drivers/gpu/drm/xe/xe_trace_bo.h
> > > index 1762dd30ba6d..ea50fee50c7d 100644
> > > --- a/drivers/gpu/drm/xe/xe_trace_bo.h
> > > +++ b/drivers/gpu/drm/xe/xe_trace_bo.h
> > > @@ -60,8 +60,8 @@ TRACE_EVENT(xe_bo_move,
> > >  	    TP_STRUCT__entry(
> > >  		     __field(struct xe_bo *, bo)
> > >  		     __field(size_t, size)
> > > -		     __field(u32, new_placement)
> > > -		     __field(u32, old_placement)
> > > +		     __string(new_placement_name,
> > > xe_mem_type_to_name[new_placement])
> > > +		     __string(old_placement_name,
> > > xe_mem_type_to_name[old_placement])
> > >  		     __string(device_id, __dev_name_bo(bo))
> > >  		     __field(bool, move_lacks_source)
> > >  			),
> > > @@ -69,15 +69,15 @@ TRACE_EVENT(xe_bo_move,
> > >  	    TP_fast_assign(
> > >  		   __entry->bo      = bo;
> > >  		   __entry->size = bo->size;
> > > -		   __entry->new_placement = new_placement;
> > > -		   __entry->old_placement = old_placement;
> > > +		   __assign_str(new_placement_name);
> > > +		   __assign_str(old_placement_name);
> > >  		   __assign_str(device_id);
> > >  		   __entry->move_lacks_source = move_lacks_source;
> > >  		   ),
> > >  	    TP_printk("move_lacks_source:%s, migrate object %p
> > > [size %zu] from %s to %s device_id:%s",
> > >  		      __entry->move_lacks_source ? "yes" : "no",
> > > __entry->bo, __entry->size,
> > > -		      xe_mem_type_to_name[__entry->old_placement],
> > > -		      xe_mem_type_to_name[__entry->new_placement],
> > > __get_str(device_id))
> > > +		      __get_str(old_placement_name),
> > > +		      __get_str(new_placement_name),
> > > __get_str(device_id))
> > >  );
> > >  
> > >  DECLARE_EVENT_CLASS(xe_vma,
> > > -- 
> > > 2.47.1
> > > 
> > > 
> 
> 




[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux