I've sent it using git send-email with another email account (zyytlz...@163.com)
Regards,
Zheng Wang
Jani Nikula 于2022年9月19日周一 17:30写道:
>
> On Mon, 19 Sep 2022, Zheng Wang <1002992...@qq.com> wrote:
> > From afe79848cb74cc8e45ab426d13fa2394c87e0422 Mon Sep 17 00:00:00 2001
> > From: xmzyshypnc
On Wed, Sep 28, 2022 at 11:33:40AM +0800, Zheng Wang wrote:
> If intel_gvt_dma_map_guest_page failed, it will call
> ppgtt_invalidate_spt, which will finally free the spt.
> But the caller does not notice that, it will free spt again in error path.
>
> Fix this by only freeing spt in ppgtt_invalid
> That is a horrible way to make an api (and it should be a bool too.)
> Now every time you see this call in the code, you have to go look up
> what the last parameter means. Just make 2 functions, one that does the
> "is error" thing, and one that does not, and that will be much easier to
> maint
On Mon, Sep 05, 2022 at 03:46:09PM +0800, Zheng Hacker wrote:
> I rewrote the letter. Hope it works.
>
> There is a double-free security bug in split_2MB_gtt_entry.
>
> Here is a calling chain :
> ppgtt_populate_spt->ppgtt_populate_shadow_entry->split_2MB_gtt_entry.
> If intel_gvt_dma_map_guest_p
Hi Greg,
Alex has explained how we figured out the patch. We did analyze the
code and found it possible to reach the vulnerability code. But we
have no physical device in hand to test the driver. So we'd like to
discuss with developers to see if the issue exists or not.
Best regards,
Zheng Wang.
Hello everyone,
I'm Zheng Wang. I found a potential double-free bug
in drivers/gpu/drm/i915/gvt/gtt.c. I haven't been replied for a long time.
So I decided to send it to more relavent supporters and developers to help
to solve the problem.
Best regards,
Zheng Wang.
xmzyshypnc <1002992...@qq.com>
I rewrote the letter. Hope it works.
There is a double-free security bug in split_2MB_gtt_entry.
Here is a calling chain :
ppgtt_populate_spt->ppgtt_populate_shadow_entry->split_2MB_gtt_entry.
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally call ppgtt
Resent the mail for the former letter contains html text.
Regards,
Zheng Wang
Zheng Hacker 于2022年9月5日周一 12:47写道:
> Hello everyone,
>
> I'm Zheng Wang. I found a potential double-free bug
> in drivers/gpu/drm/i915/gvt/gtt.c. I haven't been replied for a long time.
> So I decided to send it to m
Hi everyone,
Now the letter is really plain-text now :)
Thanks Greg
Regards,
Zheng Wang
Zheng Hacker 于2022年9月5日周一 12:47写道:
>
> Hello everyone,
>
> I'm Zheng Wang. I found a potential double-free bug in
> drivers/gpu/drm/i915/gvt/gtt.c. I haven't been replied for a long time. So I
> decided to
On 2022.09.06 19:36:56 +0800, Zheng Hacker wrote:
> Hi Greg,
>
> Alex has explained how we figured out the patch. We did analyze the
> code and found it possible to reach the vulnerability code. But we
> have no physical device in hand to test the driver. So we'd like to
> discuss with developers
On Thu, Sep 08, 2022 at 05:09:40PM +0800, Zheng Hacker wrote:
> Hi Zhenyu,
>
> This issue has been open for a few days. Could you plz write a patch
> for that :) I'm not familiar with the logical code here.
As this is only able to be hit in a theoretical system, it isn't that
high of a priority,
Hi Zhenyu,
Very glad for your reply. I agree that the bug is hard to trigger in
userspace. But it is possible to happen in some specific scene. For
example, if calling pfn_valid failed, the bug will be triggered. And
it did happened as the [1] commit description illustrates.
As for the patch, I t
Hi Zhenyu,
This issue has been open for a few days. Could you plz write a patch
for that :) I'm not familiar with the logical code here.
Regards,
Zheng Wang
Zhenyu Wang 于2022年9月7日周三 11:33写道:
>
> On 2022.09.06 19:36:56 +0800, Zheng Hacker wrote:
> > Hi Greg,
> >
> > Alex has explained how we fig
Hi Greg,
I got it, Greg.
Mid-Autumn Festival is coming and I will have a couple of days off.
I'll see what I can do after holiday :)
Regards,
Zheng Wang
在 2022年9月8日星期四,Greg KH 写道:
> On Thu, Sep 08, 2022 at 05:09:40PM +0800, Zheng Hacker wrote:
> > Hi Zhenyu,
> >
> > This issue has been open
On Fri, Sep 16, 2022 at 02:39:21PM +0800, Zheng Hacker wrote:
> >From 8d95c1399e3ff345500a575e21254a73b0c89144 Mon Sep 17 00:00:00 2001
> From: xmzyshypnc <1002992...@qq.com>
> Date: Fri, 16 Sep 2022 14:37:48 +0800
> Subject: [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
>
> The
On Fri, Sep 16, 2022 at 11:54:42PM +0800, Zheng Hacker wrote:
> >From afe79848cb74cc8e45ab426d13fa2394c87e0422 Mon Sep 17 00:00:00 2001
> From: xmzyshypnc <1002992...@qq.com>
> Date: Fri, 16 Sep 2022 23:48:23 +0800
> Subject: [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
>
> The
On Mon, 19 Sep 2022, Zheng Wang <1002992...@qq.com> wrote:
> From afe79848cb74cc8e45ab426d13fa2394c87e0422 Mon Sep 17 00:00:00 2001
> From: xmzyshypnc <1002992...@qq.com>
> Date: Fri, 16 Sep 2022 23:48:23 +0800
> Subject: [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
>
> There i
Hi greg,
Thanks for pointing that out. Working on it now :)
Best wishes,
Zheng Wang
Greg KH 于2022年9月16日周五 16:25写道:
>
> On Fri, Sep 16, 2022 at 02:39:21PM +0800, Zheng Hacker wrote:
> > >From 8d95c1399e3ff345500a575e21254a73b0c89144 Mon Sep 17 00:00:00 2001
> > From: xmzyshypnc <1002992...@qq.co
Hi Greg,
Sorry for that. I’ll write another one.
Regards,
Zheng Wang
在 2022年9月17日星期六,Greg KH 写道:
> On Fri, Sep 16, 2022 at 11:54:42PM +0800, Zheng Hacker wrote:
> > >From afe79848cb74cc8e45ab426d13fa2394c87e0422 Mon Sep 17 00:00:00 2001
> > From: xmzyshypnc <1002992...@qq.com>
> > Date: Fri, 1
>From afe79848cb74cc8e45ab426d13fa2394c87e0422 Mon Sep 17 00:00:00 2001
From: xmzyshypnc <1002992...@qq.com>
Date: Fri, 16 Sep 2022 23:48:23 +0800
Subject: [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
There is a double-free security bug in split_2MB_gtt_entry.
Here is a callin
>From 8d95c1399e3ff345500a575e21254a73b0c89144 Mon Sep 17 00:00:00 2001
From: xmzyshypnc <1002992...@qq.com>
Date: Fri, 16 Sep 2022 14:37:48 +0800
Subject: [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
There is a double-free security bug in split_2MB_gtt_entry.
Here is a callin
From afe79848cb74cc8e45ab426d13fa2394c87e0422 Mon Sep 17 00:00:00 2001
From: xmzyshypnc <1002992...@qq.com>
Date: Fri, 16 Sep 2022 23:48:23 +0800
Subject: [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
There is a double-free security bug in split_2MB_gtt_entry.
Here is a calling
I'll try using another mail client like Mutt later. :)
Regards,
Zheng Wang
Greg KH 于2022年9月17日周六 17:07写道:
>
> On Fri, Sep 16, 2022 at 11:54:42PM +0800, Zheng Hacker wrote:
> > >From afe79848cb74cc8e45ab426d13fa2394c87e0422 Mon Sep 17 00:00:00 2001
> > From: xmzyshypnc <1002992...@qq.com>
> > Dat
Here I introduced is_error to judge if the ppgtt_invalidate_spt is
called from good case or not. Only free spt in good case, leave it to
handle for the error path of caller.
Zheng Hacker 于2022年9月16日周五 14:39写道:
>
> From 8d95c1399e3ff345500a575e21254a73b0c89144 Mon Sep 17 00:00:00 2001
> From: xmzy
Got it. I'll try again later.
Best Regards,
Zheng Wang
Jani Nikula 于2022年9月19日周一 17:30写道:
>
> On Mon, 19 Sep 2022, Zheng Wang <1002992...@qq.com> wrote:
> > From afe79848cb74cc8e45ab426d13fa2394c87e0422 Mon Sep 17 00:00:00 2001
> > From: xmzyshypnc <1002992...@qq.com>
> > Date: Fri, 16 Sep 2022
25 matches
Mail list logo