CVE-2017-7294: kernel: drm/vmwgfx: limit mip levels in vmw_surface_define_ioctl()

[Vladis Dronov <vdronov () redhat com>]

hello,

CVE-2017-7294 was assigned for another flaw in [vmwgfx] driver.

> Below is the CVE ID for this new vulnerability (we understand that it
> is completely different from CVE-2017-7261, even though the affected
> function is the same).
>
> [Suggested description]
> In was found that in the Linux kernel in vmw_surface_define_ioctl()
> function in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a
> 'req->mip_levels[i]' are user-controlled values which are not checked
> for the upper limit and are used to calculate 'num_sizes' parameter.
> Both the 'num_sizes' and the array are 'uint32_t' so it is possible to
> make 'num_sizes' overflow. Later 'mip_levels[i]' are used as the loop
> count. This can lead an oob-write and/or kernel lockup or crash. Due
> to the nature of the flaw, privilege escalation cannot be fully ruled
> out.
>
> ------------------------------------------
>
> [Additional Information]
> Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> CWE-20
>
> ------------------------------------------
>
> [Vendor of Product]
> kernel.org: Linux kernel
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Linux kernel - all upto 4.11-rc3
>
> ------------------------------------------
>
> [Affected Component]
> vmw_surface_define_ioctl() function, drivers/gpu/drm/vmwgfx/vmwgfx_surface.c file
>
> ------------------------------------------
>
> [Attack Type]
> Local
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> to exploit vulnerability a local user have to run a binary which makes certain ioctl() call
>
> ------------------------------------------
>
> [Reference]
> https://lists.freedesktop.org/archives/dri-devel/2017-March/137094.html
> https://bugzilla.redhat.com/show_bug.cgi?id=1436798
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Li Qiang of the Gear Team, Qihoo 360 Inc
>
> Use CVE-2017-7294.
>
> CVE Assignment Team
> M/S M300, 202 Burlington Road, Bedford, MA 01730 USA

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer