subject:"\[Nouveau\] \[PATCH\] drm\/nouveau\: bail out of nouveau_channel

Re: [Nouveau] [PATCH] drm/nouveau: bail out of nouveau_channel_new if channel init fails

2021-02-07 Thread Salvatore Bonaccorso

Hi Ben,

On Mon, Nov 16, 2020 at 09:04:32AM +1000, Ben Skeggs wrote:
> On Mon, 16 Nov 2020 at 05:19, Karol Herbst  wrote:
> >
> > On Sun, Nov 15, 2020 at 6:43 PM Salvatore Bonaccorso  
> > wrote:
> > >
> > > Hi,
> > >
> > > On Fri, Aug 28, 2020 at 11:28:46AM +0200, Frantisek Hrbata wrote:
> > > > Unprivileged user can crash kernel by using 
> > > > DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC
> > > > ioctl. This was reported by trinity[1] fuzzer.
> > > >
> > > > [   71.073906] nouveau :01:00.0: crashme[1329]: channel failed to 
> > > > initialise, -17
> > > > [   71.081730] BUG: kernel NULL pointer dereference, address: 
> > > > 00a0
> > > > [   71.088928] #PF: supervisor read access in kernel mode
> > > > [   71.094059] #PF: error_code(0x) - not-present page
> > > > [   71.099189] PGD 119590067 P4D 119590067 PUD 1054f5067 PMD 0
> > > > [   71.104842] Oops:  [#1] SMP NOPTI
> > > > [   71.108498] CPU: 2 PID: 1329 Comm: crashme Not tainted 5.8.0-rc6+ #2
> > > > [   71.114993] Hardware name: AMD Pike/Pike, BIOS RPK1506A 09/03/2014
> > > > [   71.121213] RIP: 0010:nouveau_abi16_ioctl_channel_alloc+0x108/0x380 
> > > > [nouveau]
> > > > [   71.128339] Code: 48 89 9d f0 00 00 00 41 8b 4c 24 04 41 8b 14 24 45 
> > > > 31 c0 4c 8d 4b 10 48 89 ee 4c 89 f7 e8 10 11 00 00 85 c0 75 78 48 8b 43 
> > > > 10 <8b> 90 a0 00 00 00 41 89 54 24 08 80 7d 3d 05 0f 86 bb 01 00 00 41
> > > > [   71.147074] RSP: 0018:b4a1809cfd38 EFLAGS: 00010246
> > > > [   71.152526] RAX:  RBX: 98cedbaa1d20 RCX: 
> > > > 03bf
> > > > [   71.159651] RDX: 03be RSI:  RDI: 
> > > > 00030160
> > > > [   71.166774] RBP: 98cee776de00 R08: dc0144198a08 R09: 
> > > > 98ceeefd4000
> > > > [   71.173901] R10: 98cee7e81780 R11: 0001 R12: 
> > > > b4a1809cfe08
> > > > [   71.181214] R13: 98cee776d000 R14: 98cec519e000 R15: 
> > > > 98cee776def0
> > > > [   71.188339] FS:  7fd926250500() GS:98ceeac8() 
> > > > knlGS:
> > > > [   71.196418] CS:  0010 DS:  ES:  CR0: 80050033
> > > > [   71.202155] CR2: 00a0 CR3: 000106622000 CR4: 
> > > > 000406e0
> > > > [   71.209297] Call Trace:
> > > > [   71.211777]  ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau]
> > > > [   71.218053]  drm_ioctl_kernel+0xac/0xf0 [drm]
> > > > [   71.222421]  drm_ioctl+0x211/0x3c0 [drm]
> > > > [   71.226379]  ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau]
> > > > [   71.232500]  nouveau_drm_ioctl+0x57/0xb0 [nouveau]
> > > > [   71.237285]  ksys_ioctl+0x86/0xc0
> > > > [   71.240595]  __x64_sys_ioctl+0x16/0x20
> > > > [   71.244340]  do_syscall_64+0x4c/0x90
> > > > [   71.248110]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > > > [   71.253162] RIP: 0033:0x7fd925d4b88b
> > > > [   71.256731] Code: Bad RIP value.
> > > > [   71.259955] RSP: 002b:7ffc743592d8 EFLAGS: 0206 ORIG_RAX: 
> > > > 0010
> > > > [   71.267514] RAX: ffda RBX:  RCX: 
> > > > 7fd925d4b88b
> > > > [   71.274637] RDX: 00601080 RSI: c0586442 RDI: 
> > > > 0003
> > > > [   71.281986] RBP: 7ffc74359340 R08: 7fd926016ce0 R09: 
> > > > 7fd926016ce0
> > > > [   71.289111] R10: 0003 R11: 0206 R12: 
> > > > 00400620
> > > > [   71.296235] R13: 7ffc74359420 R14:  R15: 
> > > > 
> > > > [   71.303361] Modules linked in: rfkill sunrpc snd_hda_codec_realtek 
> > > > snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg 
> > > > snd_hda_codec snd_hda_core edac_mce_amd snd_hwdep kvm_amd snd_seq ccp 
> > > > snd_seq_device snd_pcm kvm snd_timer snd irqbypass soundcore sp5100_tco 
> > > > pcspkr crct10dif_pclmul crc32_pclmul ghash_clmulni_intel wmi_bmof 
> > > > joydev i2c_piix4 fam15h_power k10temp acpi_cpufreq ip_tables xfs 
> > > > libcrc32c sd_mod t10_pi sg nouveau video mxm_wmi i2c_algo_bit 
> > > > drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm 
> > > > broadcom bcm_phy_lib ata_generic ahci drm e1000 crc32c_intel libahci 
> > > > serio_raw tg3 libata firewire_ohci firewire_core wmi crc_itu_t 
> > > > dm_mirror dm_region_hash dm_log dm_mod
> > > > [   71.365269] CR2: 00a0
> > > >
> > > > simplified reproducer
> > > > -8<
> > > > /*
> > > >  * gcc -o crashme crashme.c
> > > >  * ./crashme /dev/dri/renderD128
> > > >  */
> > > >
> > > > struct drm_nouveau_channel_alloc {
> > > >   uint32_t fb_ctxdma_handle;
> > > >   uint32_t tt_ctxdma_handle;
> > > >
> > > >   int  channel;
> > > >   uint32_t pushbuf_domains;
> > > >
> > > >   /* Notifier memory */
> > > >   uint32_t notifier_handle;
> > > >
> > > >   /* DRM-enforced subchannel assignments */
> > > >   struct {
> > > >   uint32_t handle;

Re: [Nouveau] [PATCH] drm/nouveau: bail out of nouveau_channel_new if channel init fails

2020-11-15 Thread Ben Skeggs

On Mon, 16 Nov 2020 at 05:19, Karol Herbst  wrote:
>
> On Sun, Nov 15, 2020 at 6:43 PM Salvatore Bonaccorso  
> wrote:
> >
> > Hi,
> >
> > On Fri, Aug 28, 2020 at 11:28:46AM +0200, Frantisek Hrbata wrote:
> > > Unprivileged user can crash kernel by using 
> > > DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC
> > > ioctl. This was reported by trinity[1] fuzzer.
> > >
> > > [   71.073906] nouveau :01:00.0: crashme[1329]: channel failed to 
> > > initialise, -17
> > > [   71.081730] BUG: kernel NULL pointer dereference, address: 
> > > 00a0
> > > [   71.088928] #PF: supervisor read access in kernel mode
> > > [   71.094059] #PF: error_code(0x) - not-present page
> > > [   71.099189] PGD 119590067 P4D 119590067 PUD 1054f5067 PMD 0
> > > [   71.104842] Oops:  [#1] SMP NOPTI
> > > [   71.108498] CPU: 2 PID: 1329 Comm: crashme Not tainted 5.8.0-rc6+ #2
> > > [   71.114993] Hardware name: AMD Pike/Pike, BIOS RPK1506A 09/03/2014
> > > [   71.121213] RIP: 0010:nouveau_abi16_ioctl_channel_alloc+0x108/0x380 
> > > [nouveau]
> > > [   71.128339] Code: 48 89 9d f0 00 00 00 41 8b 4c 24 04 41 8b 14 24 45 
> > > 31 c0 4c 8d 4b 10 48 89 ee 4c 89 f7 e8 10 11 00 00 85 c0 75 78 48 8b 43 
> > > 10 <8b> 90 a0 00 00 00 41 89 54 24 08 80 7d 3d 05 0f 86 bb 01 00 00 41
> > > [   71.147074] RSP: 0018:b4a1809cfd38 EFLAGS: 00010246
> > > [   71.152526] RAX:  RBX: 98cedbaa1d20 RCX: 
> > > 03bf
> > > [   71.159651] RDX: 03be RSI:  RDI: 
> > > 00030160
> > > [   71.166774] RBP: 98cee776de00 R08: dc0144198a08 R09: 
> > > 98ceeefd4000
> > > [   71.173901] R10: 98cee7e81780 R11: 0001 R12: 
> > > b4a1809cfe08
> > > [   71.181214] R13: 98cee776d000 R14: 98cec519e000 R15: 
> > > 98cee776def0
> > > [   71.188339] FS:  7fd926250500() GS:98ceeac8() 
> > > knlGS:
> > > [   71.196418] CS:  0010 DS:  ES:  CR0: 80050033
> > > [   71.202155] CR2: 00a0 CR3: 000106622000 CR4: 
> > > 000406e0
> > > [   71.209297] Call Trace:
> > > [   71.211777]  ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau]
> > > [   71.218053]  drm_ioctl_kernel+0xac/0xf0 [drm]
> > > [   71.222421]  drm_ioctl+0x211/0x3c0 [drm]
> > > [   71.226379]  ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau]
> > > [   71.232500]  nouveau_drm_ioctl+0x57/0xb0 [nouveau]
> > > [   71.237285]  ksys_ioctl+0x86/0xc0
> > > [   71.240595]  __x64_sys_ioctl+0x16/0x20
> > > [   71.244340]  do_syscall_64+0x4c/0x90
> > > [   71.248110]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > > [   71.253162] RIP: 0033:0x7fd925d4b88b
> > > [   71.256731] Code: Bad RIP value.
> > > [   71.259955] RSP: 002b:7ffc743592d8 EFLAGS: 0206 ORIG_RAX: 
> > > 0010
> > > [   71.267514] RAX: ffda RBX:  RCX: 
> > > 7fd925d4b88b
> > > [   71.274637] RDX: 00601080 RSI: c0586442 RDI: 
> > > 0003
> > > [   71.281986] RBP: 7ffc74359340 R08: 7fd926016ce0 R09: 
> > > 7fd926016ce0
> > > [   71.289111] R10: 0003 R11: 0206 R12: 
> > > 00400620
> > > [   71.296235] R13: 7ffc74359420 R14:  R15: 
> > > 
> > > [   71.303361] Modules linked in: rfkill sunrpc snd_hda_codec_realtek 
> > > snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg 
> > > snd_hda_codec snd_hda_core edac_mce_amd snd_hwdep kvm_amd snd_seq ccp 
> > > snd_seq_device snd_pcm kvm snd_timer snd irqbypass soundcore sp5100_tco 
> > > pcspkr crct10dif_pclmul crc32_pclmul ghash_clmulni_intel wmi_bmof joydev 
> > > i2c_piix4 fam15h_power k10temp acpi_cpufreq ip_tables xfs libcrc32c 
> > > sd_mod t10_pi sg nouveau video mxm_wmi i2c_algo_bit drm_kms_helper 
> > > syscopyarea sysfillrect sysimgblt fb_sys_fops ttm broadcom bcm_phy_lib 
> > > ata_generic ahci drm e1000 crc32c_intel libahci serio_raw tg3 libata 
> > > firewire_ohci firewire_core wmi crc_itu_t dm_mirror dm_region_hash dm_log 
> > > dm_mod
> > > [   71.365269] CR2: 00a0
> > >
> > > simplified reproducer
> > > -8<
> > > /*
> > >  * gcc -o crashme crashme.c
> > >  * ./crashme /dev/dri/renderD128
> > >  */
> > >
> > > struct drm_nouveau_channel_alloc {
> > >   uint32_t fb_ctxdma_handle;
> > >   uint32_t tt_ctxdma_handle;
> > >
> > >   int  channel;
> > >   uint32_t pushbuf_domains;
> > >
> > >   /* Notifier memory */
> > >   uint32_t notifier_handle;
> > >
> > >   /* DRM-enforced subchannel assignments */
> > >   struct {
> > >   uint32_t handle;
> > >   uint32_t grclass;
> > >   } subchan[8];
> > >   uint32_t nr_subchan;
> > > };
> > >
> > > static struct drm_nouveau_channel_alloc channel;
> > >
> > > int main(int argc, char *argv[]) {
> > >   int fd;
> > >   int rv;
> > >
> > >

Re: [Nouveau] [PATCH] drm/nouveau: bail out of nouveau_channel_new if channel init fails

2020-11-15 Thread Karol Herbst

On Sun, Nov 15, 2020 at 6:43 PM Salvatore Bonaccorso  wrote:
>
> Hi,
>
> On Fri, Aug 28, 2020 at 11:28:46AM +0200, Frantisek Hrbata wrote:
> > Unprivileged user can crash kernel by using DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC
> > ioctl. This was reported by trinity[1] fuzzer.
> >
> > [   71.073906] nouveau :01:00.0: crashme[1329]: channel failed to 
> > initialise, -17
> > [   71.081730] BUG: kernel NULL pointer dereference, address: 
> > 00a0
> > [   71.088928] #PF: supervisor read access in kernel mode
> > [   71.094059] #PF: error_code(0x) - not-present page
> > [   71.099189] PGD 119590067 P4D 119590067 PUD 1054f5067 PMD 0
> > [   71.104842] Oops:  [#1] SMP NOPTI
> > [   71.108498] CPU: 2 PID: 1329 Comm: crashme Not tainted 5.8.0-rc6+ #2
> > [   71.114993] Hardware name: AMD Pike/Pike, BIOS RPK1506A 09/03/2014
> > [   71.121213] RIP: 0010:nouveau_abi16_ioctl_channel_alloc+0x108/0x380 
> > [nouveau]
> > [   71.128339] Code: 48 89 9d f0 00 00 00 41 8b 4c 24 04 41 8b 14 24 45 31 
> > c0 4c 8d 4b 10 48 89 ee 4c 89 f7 e8 10 11 00 00 85 c0 75 78 48 8b 43 10 
> > <8b> 90 a0 00 00 00 41 89 54 24 08 80 7d 3d 05 0f 86 bb 01 00 00 41
> > [   71.147074] RSP: 0018:b4a1809cfd38 EFLAGS: 00010246
> > [   71.152526] RAX:  RBX: 98cedbaa1d20 RCX: 
> > 03bf
> > [   71.159651] RDX: 03be RSI:  RDI: 
> > 00030160
> > [   71.166774] RBP: 98cee776de00 R08: dc0144198a08 R09: 
> > 98ceeefd4000
> > [   71.173901] R10: 98cee7e81780 R11: 0001 R12: 
> > b4a1809cfe08
> > [   71.181214] R13: 98cee776d000 R14: 98cec519e000 R15: 
> > 98cee776def0
> > [   71.188339] FS:  7fd926250500() GS:98ceeac8() 
> > knlGS:
> > [   71.196418] CS:  0010 DS:  ES:  CR0: 80050033
> > [   71.202155] CR2: 00a0 CR3: 000106622000 CR4: 
> > 000406e0
> > [   71.209297] Call Trace:
> > [   71.211777]  ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau]
> > [   71.218053]  drm_ioctl_kernel+0xac/0xf0 [drm]
> > [   71.222421]  drm_ioctl+0x211/0x3c0 [drm]
> > [   71.226379]  ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau]
> > [   71.232500]  nouveau_drm_ioctl+0x57/0xb0 [nouveau]
> > [   71.237285]  ksys_ioctl+0x86/0xc0
> > [   71.240595]  __x64_sys_ioctl+0x16/0x20
> > [   71.244340]  do_syscall_64+0x4c/0x90
> > [   71.248110]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > [   71.253162] RIP: 0033:0x7fd925d4b88b
> > [   71.256731] Code: Bad RIP value.
> > [   71.259955] RSP: 002b:7ffc743592d8 EFLAGS: 0206 ORIG_RAX: 
> > 0010
> > [   71.267514] RAX: ffda RBX:  RCX: 
> > 7fd925d4b88b
> > [   71.274637] RDX: 00601080 RSI: c0586442 RDI: 
> > 0003
> > [   71.281986] RBP: 7ffc74359340 R08: 7fd926016ce0 R09: 
> > 7fd926016ce0
> > [   71.289111] R10: 0003 R11: 0206 R12: 
> > 00400620
> > [   71.296235] R13: 7ffc74359420 R14:  R15: 
> > 
> > [   71.303361] Modules linked in: rfkill sunrpc snd_hda_codec_realtek 
> > snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg 
> > snd_hda_codec snd_hda_core edac_mce_amd snd_hwdep kvm_amd snd_seq ccp 
> > snd_seq_device snd_pcm kvm snd_timer snd irqbypass soundcore sp5100_tco 
> > pcspkr crct10dif_pclmul crc32_pclmul ghash_clmulni_intel wmi_bmof joydev 
> > i2c_piix4 fam15h_power k10temp acpi_cpufreq ip_tables xfs libcrc32c sd_mod 
> > t10_pi sg nouveau video mxm_wmi i2c_algo_bit drm_kms_helper syscopyarea 
> > sysfillrect sysimgblt fb_sys_fops ttm broadcom bcm_phy_lib ata_generic ahci 
> > drm e1000 crc32c_intel libahci serio_raw tg3 libata firewire_ohci 
> > firewire_core wmi crc_itu_t dm_mirror dm_region_hash dm_log dm_mod
> > [   71.365269] CR2: 00a0
> >
> > simplified reproducer
> > -8<
> > /*
> >  * gcc -o crashme crashme.c
> >  * ./crashme /dev/dri/renderD128
> >  */
> >
> > struct drm_nouveau_channel_alloc {
> >   uint32_t fb_ctxdma_handle;
> >   uint32_t tt_ctxdma_handle;
> >
> >   int  channel;
> >   uint32_t pushbuf_domains;
> >
> >   /* Notifier memory */
> >   uint32_t notifier_handle;
> >
> >   /* DRM-enforced subchannel assignments */
> >   struct {
> >   uint32_t handle;
> >   uint32_t grclass;
> >   } subchan[8];
> >   uint32_t nr_subchan;
> > };
> >
> > static struct drm_nouveau_channel_alloc channel;
> >
> > int main(int argc, char *argv[]) {
> >   int fd;
> >   int rv;
> >
> >   if (argc != 2)
> >   die("usage: %s ", 0, argv[0]);
> >
> >   if ((fd = open(argv[1], O_RDONLY)) == -1)
> >   die("open %s", errno, argv[1]);
> >
> >   if (ioctl(fd, DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC, &channel) == -1 &&
> >   errn

Re: [Nouveau] [PATCH] drm/nouveau: bail out of nouveau_channel_new if channel init fails

Re: [Nouveau] [PATCH] drm/nouveau: bail out of nouveau_channel_new if channel init fails

Re: [Nouveau] [PATCH] drm/nouveau: bail out of nouveau_channel_new if channel init fails

3 matches

Site Navigation

Mail list logo

Footer information