oss-sec mailing list archives
CVE-2017-7294: kernel: drm/vmwgfx: limit mip levels in vmw_surface_define_ioctl()
From: Vladis Dronov <vdronov () redhat com>
Date: Wed, 29 Mar 2017 07:10:35 -0400 (EDT)
hello, CVE-2017-7294 was assigned for another flaw in [vmwgfx] driver.
Below is the CVE ID for this new vulnerability (we understand that it is completely different from CVE-2017-7261, even though the affected function is the same). [Suggested description] In was found that in the Linux kernel in vmw_surface_define_ioctl() function in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a 'req->mip_levels[i]' are user-controlled values which are not checked for the upper limit and are used to calculate 'num_sizes' parameter. Both the 'num_sizes' and the array are 'uint32_t' so it is possible to make 'num_sizes' overflow. Later 'mip_levels[i]' are used as the loop count. This can lead an oob-write and/or kernel lockup or crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. ------------------------------------------ [Additional Information] Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. ------------------------------------------ [VulnerabilityType Other] CWE-20 ------------------------------------------ [Vendor of Product] kernel.org: Linux kernel ------------------------------------------ [Affected Product Code Base] Linux kernel - all upto 4.11-rc3 ------------------------------------------ [Affected Component] vmw_surface_define_ioctl() function, drivers/gpu/drm/vmwgfx/vmwgfx_surface.c file ------------------------------------------ [Attack Type] Local ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Attack Vectors] to exploit vulnerability a local user have to run a binary which makes certain ioctl() call ------------------------------------------ [Reference] https://lists.freedesktop.org/archives/dri-devel/2017-March/137094.html https://bugzilla.redhat.com/show_bug.cgi?id=1436798 ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Li Qiang of the Gear Team, Qihoo 360 Inc Use CVE-2017-7294. CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
Best regards, Vladis Dronov | Red Hat, Inc. | Product Security Engineer
Current thread:
- CVE-2017-7294: kernel: drm/vmwgfx: limit mip levels in vmw_surface_define_ioctl() Vladis Dronov (Mar 29)