It's not a consistent issue, but occasionally when launching an application, the syste

Race condition in gpu_va_page_list iteration yielding use-after-free panic on app launch about mira-project HOT 3 CLOSED

openorbis commented on August 16, 2024

Race condition in gpu_va_page_list iteration yielding use-after-free panic on app launch

from mira-project.

Comments (3)

Cryptogenic commented on August 16, 2024

Another panic but this time in Mira::Plugins::FakePkgManager::SceSblDriverFindMappedPageListByGpuVa. Looks to be the caused by the same issue.

## Kernel panic: received fatal trap 12 (page fault) while in kernel mode.
##
## fault virtual address: 0x286
## fault code: supervisor read data, page not present
##
## instruction pointer: 0x20:0xffffff806ba470ab
## stack pointer: 0x28:0xffffff806a6eeca0
## frame pointer: 0x28:0xffffff806a6eecb0
## code segment:  base 0x0, limit 0xfffff, type 0x1b
##                DPL 0, pres 1, long 1, def32 0, gran 1
## processor eflags: interrupt enabled, resume, IOPL = 0
## current process: 41 (SceLibNpRifMgrIpcDispatcher)
##
## kernel base: 0xffffffffd4fe8000
## mira base:   0xffffff806b9ac000 (size: 0x6a928)
## mira proc:   0xffffe53c401716c0 (entry: 0xffffff806ba344f8)
## mira entrypoint (mira_entry): 0xffffff806ba344f8
##     messageManager: 0xffffe53c060d9800
##     pluginManager:  0xffffe53c403ab900
##     rpcServer:      0xffffe53c4044e180
##
## instruction pointer offset (kernel: 0xffffff8096a5f0ab) (mira_entry: 0x12bb3)
##
## last branch from: 0xffffff806ba47094
## last branch to:   0xffffff806ba470a7
##
## registers:
## rax: 0x0000000000000286  rbx: 0xffffff806a6eef08
## rcx: 0x0000000017768000  rdx: 0x0000000000000230
## rsi: 0x0000000000000000  rdi: 0x0000000017768000
## rbp: 0xffffff806a6eecb0  rsp: 0xffffff806a6eecb0
## r8 : 0xffffffffd6aacae0  r9 : 0xffffffffd60750d8
## r10: 0xffffffffae1c6150  r11: 0xffffffffd60748b0
## r12: 0xffffffffd7800010  r13: 0xffffffffd7800010
## r14: 0xffffff806a6ef7e0  r15: 0xffffffffd7768000
##
## backtrace: 
##  [0] [return: 0xffffff806ba470e1] [from: 0xffffff806a6eecb0]
##  [1] [return: 0xffffff806ba45572] [from: 0xffffff806a6eece0]
##  [2] [return: 0xffffffffd5635504] [from: 0xffffff806a6eed30]
##  [3] [return: 0xffffffffd5636885] [from: 0xffffff806a6eedf0]
##  [4] [return: 0xffffffffd5635e78] [from: 0xffffff806a6ef330]
##  [5] [return: 0xffffffffd509b725] [from: 0xffffff806a6ef840]
##  [6] [return: 0xffffffffd513bb45] [from: 0xffffff806a6ef8a0]
##  [7] [return: 0xffffffffd513b90c] [from: 0xffffff806a6ef8f0]
##  [8] [return: 0xffffff806ba35439] [from: 0xffffff806a6ef950]
##  [9] [return: 0xffffffffd4fe8668] [from: 0xffffff806a6ef990]
##  [10] [return: 0xffffffffd4fe8313] [from: 0xffffff806a6efaa0]

from mira-project.

Cryptogenic commented on August 16, 2024

Another panic but this time in Mira::Plugins::FakePkgManager::SceSblDriverFindMappedPageListByGpuVa. Looks to be the caused by the same issue.

## Kernel panic: received fatal trap 12 (page fault) while in kernel mode.
##
## fault virtual address: 0x286
## fault code: supervisor read data, page not present
##
## instruction pointer: 0x20:0xffffff806ba470ab
## stack pointer: 0x28:0xffffff806a6eeca0
## frame pointer: 0x28:0xffffff806a6eecb0
## code segment:  base 0x0, limit 0xfffff, type 0x1b
...

Ok so this panic is 99.9% a race induced use-after-free (UAF), because here's the crash location in binja:

The crash occurs on 0x2B0A3 because rax is a garbage non-pointer value. What's essentially happening here is a linked list iteration on sbl_driver_mapped_pages. Everywhere in the kernel that uses this list locks while iterating it, for very good reason. If an entry is dropped from this list while it's being iterated, you end up with a situation like this one, a use-after-free which causes mem corruption when reading the UAF'd node.

I'm not sure of the exact name of this mutex, but this iteration should be locked on the mutex found at offset 0x271E210 (5.05). It may not be the only issue, but it is an issue and is almost certainly the cause of this panic.

from mira-project.

Cryptogenic commented on August 16, 2024

This issue also exists in Mira::Plugins::FakePkgManager::SceSblDriverFindMappedPageListByGpuVa because of duplicated code, which likely explains why IDC's as well as my own tests with locking on FakeSelfManager wasn't fixing the crash. When the list traversal is locked in both functions, the bug appears to be fixed.

Pre-fix, this bug triggered roughly once every 10 application launches. Post-fix, no crash reported after ~~50+ runs~~ make that 75+.

// Lock before we iterate this list, because other paths can absolutely use it concurrently
_mtx_lock_flags(s_SblDrvMsgMtx, 0, __FILE__, __LINE__);

while (s_Entry)
{
    if (s_Entry->gpuVa == p_GpuVa)
    {
        s_FinalEntry = s_Entry;
        break;
    }

s_Entry = s_Entry->next;
}

_mtx_unlock_flags(s_SblDrvMsgMtx, 0, __FILE__, __LINE__);

from mira-project.

Race condition in gpu_va_page_list iteration yielding use-after-free panic on app launch about mira-project HOT 3 CLOSED

Comments (3)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent