oss-sec mailing list archives
CVE-2017-7346: kernel: drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl()
From: Vladis Dronov <vdronov () redhat com>
Date: Fri, 31 Mar 2017 06:39:03 -0400 (EDT)
hello, CVE-2017-7346 was assigned for another flaw in [vmwgfx] driver. Best regards, Vladis Dronov | Red Hat, Inc. | Product Security Engineer
[Suggested description] The vmw_gb_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.7 does not validate certain levels data, which allows local users to cause a denial of service (system hang) via a crafted ioctl call for a /dev/dri/renderD* device. ------------------------------------------ [Additional Information] It was found that in the Linux kernel in vmw_gb_surface_define_ioctl() function in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a 'req->mip_levels' is a user-controlled value which is later used as a loop count limit. This allows local unprivileged user to cause a denial of service by a kernel lockup via a crafted ioctl call for a /dev/dri/renderD* device. ------------------------------------------ [VulnerabilityType Other] CWE-20 ------------------------------------------ [Vendor of Product] kernel.org: Linux kernel ------------------------------------------ [Affected Product Code Base] Linux kernel - all upto 4.11-rc4 ------------------------------------------ [Affected Component] vmw_gb_surface_define_ioctl() function, drivers/gpu/drm/vmwgfx/vmwgfx_surface.c file ------------------------------------------ [Attack Type] Local ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Attack Vectors] to exploit vulnerability a local user have to run a binary which makes certain ioctl() call. to exploit vulnerability a local unprivileged user has to have read/write permissions to the '/dev/dri/renderD*' file. ------------------------------------------ [Reference] https://bugzilla.redhat.com/show_bug.cgi?id=1437431 https://lists.freedesktop.org/archives/dri-devel/2017-March/137429.html http://marc.info/?l=linux-kernel&m=149086968410117&w=2 Use CVE-2017-7346. CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
Current thread:
- CVE-2017-7346: kernel: drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl() Vladis Dronov (Mar 31)