Commit 12d43deb authored by Jann Horn's avatar Jann Horn Committed by Daniel Vetter

drm: fix use-after-free read in drm_mode_create_lease_ioctl()

fd_install() moves the reference given to it into the file descriptor table
of the current process. If the current process is multithreaded, then
immediately after fd_install(), another thread can close() the file
descriptor and cause the file's resources to be cleaned up.

Since the reference to "lessee" is held by the file, we must not access
"lessee" after the fd_install() call.

As far as I can tell, to reach this codepath, the caller must have an open
file descriptor to a DRI device in master mode. I'm not sure what the
requirements for that are.
Signed-off-by: default avatarJann Horn <jannh@google.com>
Fixes: 62884cd3 ("drm: Add four ioctls for managing drm mode object leases [v7]")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20181001153117.216923-1-jannh@google.com
parent 17b57b18
...@@ -566,14 +566,14 @@ int drm_mode_create_lease_ioctl(struct drm_device *dev, ...@@ -566,14 +566,14 @@ int drm_mode_create_lease_ioctl(struct drm_device *dev,
lessee_priv->is_master = 1; lessee_priv->is_master = 1;
lessee_priv->authenticated = 1; lessee_priv->authenticated = 1;
/* Hook up the fd */
fd_install(fd, lessee_file);
/* Pass fd back to userspace */ /* Pass fd back to userspace */
DRM_DEBUG_LEASE("Returning fd %d id %d\n", fd, lessee->lessee_id); DRM_DEBUG_LEASE("Returning fd %d id %d\n", fd, lessee->lessee_id);
cl->fd = fd; cl->fd = fd;
cl->lessee_id = lessee->lessee_id; cl->lessee_id = lessee->lessee_id;
/* Hook up the fd */
fd_install(fd, lessee_file);
DRM_DEBUG_LEASE("drm_mode_create_lease_ioctl succeeded\n"); DRM_DEBUG_LEASE("drm_mode_create_lease_ioctl succeeded\n");
return 0; return 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment