oss-sec mailing list archives
CVE: kernel: drm/vmwgfx: check that number of mip levels is above zero in in vmw_surface_define_ioctl()
From: Vladis Dronov <vdronov () redhat com>
Date: Mon, 27 Mar 2017 12:06:49 -0400 (EDT)
hello, CVE-2017-7261 was assigned for the following flaw in [vmwgfx] driver.
[Suggested description] The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 does not check for a zero value of certain levels data, which allows local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device. ------------------------------------------ [Additional Information] In was found that in the Linux kernel in vmw_surface_define_ioctl() function in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a 'num_sizes' parameter is assigned a user-controlled value which is not checked if it is zero. This is used in a call to kmalloc() and later leads to dereferencing ZERO_SIZE_PTR, which in turn leads to a GPF and possibly to a kernel panic. ------------------------------------------ [VulnerabilityType Other] CWE-839 ------------------------------------------ [Vendor of Product] kernel.org: Linux kernel ------------------------------------------ [Affected Product Code Base] Linux kernel - all upto 4.11-rc3 ------------------------------------------ [Affected Component] vmw_surface_define_ioctl() function, drivers/gpu/drm/vmwgfx/vmwgfx_surface.c file ------------------------------------------ [Attack Type] Local ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Attack Vectors] to exploit vulnerability a local user have to run a binary which makes certain ioctl() call ------------------------------------------ [Reference] https://bugzilla.redhat.com/show_bug.cgi?id=1435719 https://lists.freedesktop.org/archives/dri-devel/2017-March/136814.html http://marc.info/?t=149037004200005&r=1&w=2 ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true Use CVE-2017-7261.
Best regards, Vladis Dronov | Red Hat, Inc. | Product Security Engineer
Current thread:
- CVE: kernel: drm/vmwgfx: check that number of mip levels is above zero in in vmw_surface_define_ioctl() Vladis Dronov (Mar 27)