CVE-2023-53235

In the Linux kernel, the following vulnerability has been resolved:

drm/tests: helpers: Avoid a driver uaf

when using _drmkunithelperallocdrmdevice() the driver may be dereferenced by device-managed resources up until the device is freed, which is typically later than the kunit-managed resource code frees it. Fix this by simply make the driver device-managed as well.

In short, the sequence leading to the UAF is as follows:

INIT: Code allocates a struct device as a kunit-managed resource. Code allocates a drm driver as a kunit-managed resource. Code allocates a drm device as a device-managed resource.

EXIT: Kunit resource cleanup frees the drm driver Kunit resource cleanup puts the struct device, which starts a device-managed resource cleanup device-managed cleanup calls drmdevput() drmdevput() dereferences the (now freed) drm driver -> Boom.

Related KASAN message: [55272.551542] ================================================================== [55272.551551] BUG: KASAN: slab-use-after-free in drmdevput.part.0+0xd4/0xe0 [drm] [55272.551603] Read of size 8 at addr ffff888127502828 by task kunittrycatch/10353

[55272.551612] CPU: 4 PID: 10353 Comm: kunittrycatch Tainted: G U N 6.5.0-rc7+ #155 [55272.551620] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 0403 01/26/2021 [55272.551626] Call Trace: [55272.551629] <TASK> [55272.551633] dumpstacklvl+0x57/0x90 [55272.551639] printreport+0xcf/0x630 [55272.551645] ? _rawspinlockirqsave+0x5f/0x70 [55272.551652] ? drmdevput.part.0+0xd4/0xe0 [drm] [55272.551694] kasanreport+0xd7/0x110 [55272.551699] ? drmdevput.part.0+0xd4/0xe0 [drm] [55272.551742] drmdevput.part.0+0xd4/0xe0 [drm] [55272.551783] devresreleaseall+0x15d/0x1f0 [55272.551790] ? _pfxdevresreleaseall+0x10/0x10 [55272.551797] deviceunbindcleanup+0x16/0x1a0 [55272.551802] devicereleasedriverinternal+0x3e5/0x540 [55272.551808] ? kobjectput+0x5d/0x4b0 [55272.551814] busremovedevice+0x1f1/0x3f0 [55272.551819] devicedel+0x342/0x910 [55272.551826] ? _pfxdevicedel+0x10/0x10 [55272.551830] ? lockrelease+0x339/0x5e0 [55272.551836] ? kunitremoveresource+0x128/0x290 [kunit] [55272.551845] ? _pfxlockrelease+0x10/0x10 [55272.551851] platformdevicedel.part.0+0x1f/0x1e0 [55272.551856] ? _rawspinunlockirqrestore+0x30/0x60 [55272.551863] kunitremoveresource+0x195/0x290 [kunit] [55272.551871] ? rawspinunlockirqrestore+0x30/0x60 [55272.551877] kunitcleanup+0x78/0x120 [kunit] [55272.551885] ? _kthreadparkme+0xc1/0x1f0 [55272.551891] ? _pfxkunittryruncasecleanup+0x10/0x10 [kunit] [55272.551900] ? _pfxkunitgenericrunthreadfnadapter+0x10/0x10 [kunit] [55272.551909] kunitgenericrunthreadfnadapter+0x4a/0x90 [kunit] [55272.551919] kthread+0x2e7/0x3c0 [55272.551924] ? _pfxkthread+0x10/0x10 [55272.551929] retfromfork+0x2d/0x70 [55272.551935] ? _pfxkthread+0x10/0x10 [55272.551940] retfromforkasm+0x1b/0x30 [55272.551948] </TASK>

[55272.551953] Allocated by task 10351: [55272.551956] kasansavestack+0x1c/0x40 [55272.551962] kasansettrack+0x21/0x30 [55272.551966] _kasankmalloc+0x8b/0x90 [55272.551970] _kmalloc+0x5e/0x160 [55272.551976] kunitkmallocarray+0x1c/0x50 [kunit] [55272.551984] drmexectestinit+0xfa/0x2c0 [drmexectest] [55272.551991] kunittryruncase+0xdd/0x250 [kunit] [55272.551999] kunitgenericrunthreadfnadapter+0x4a/0x90 [kunit] [55272.552008] kthread+0x2e7/0x3c0 [55272.552012] retfromfork+0x2d/0x70 [55272.552017] retfromforkasm+0x1b/0x30

[55272.552024] Freed by task 10353: [55272.552027] kasansavestack+0x1c/0x40 [55272.552032] kasansettrack+0x21/0x30 [55272.552036] kasansavefreeinfo+0x27/0x40 [55272.552041] _kasanslabfree+0x106/0x180 [55272.552046] slabfreefreelisthook+0xb3/0x160 [55272.552051] _kmemcachefree+0xb2/0x290 [55272.552056] kunitremoveresource+0x195/0x290 [kunit] [55272.552064] kunit_cleanup+0x7 ---truncated---