Re: Linux kernel: A concurrency use-after-free between drm_setmaster_ioctl and drm_mode_getresources

[Greg KH <greg () kroah com>]

On Tue, Apr 12, 2022 at 07:42:04PM +0800, Minh Yuan wrote:
> Hi guys,
>
> We recently discovered a concurrency uaf in drm of the latest kernel
> version (Linux 4.19.237).

Note, this issue is not a problem for kernel versions 5.15 and newer,
the relevant commits have not yet been backported to older stable kernel
trees.  I have a list (as does the author of this report) of the needed
commits if anyone wishes to help in backporting (and testing.)

5.10.y and 5.4.y have some of the needed changes (as does 4.19.y), but
not all of them, so I do not know if the reproducer works on those trees
at this point in time.

> int fd1 = open("/dev/dri/card0",0);
> fd = open("/dev/dri/card0",0);

Also note that this issue requires access to these device nodes.

thanks,

greg k-h