oss-sec mailing list archives
CVE-2022-22942: Linux kernel: wrong file descriptor handling in the vmwgfx driver
From: Mathias Krause <minipli () grsecurity net>
Date: Thu, 27 Jan 2022 21:00:19 +0100
Hi! A vulnerability was found in the vmwgfx driver that allows unprivileged users to gain access to files opened by other processes on the system through a dangling 'file' pointer. Exploiting this vulnerability requires an attacker to have access to either /dev/dri/card0 or /dev/dri/rendererD128 and be able to issue an ioctl() on the resulting file descriptor. Linux kernels making use of the vmwgfx driver and containing commit c906965dee22 ("drm/vmwgfx: Add export fence to file descriptor support") are affected, which is v4.14+. If the vmwgfx driver isn't loaded, your system isn't affected. Systems using the VMWare graphics card emulated by QEMU (-vga vmware) aren't affected either, as these lack a required feature that makes the driver fail to load. Attached are patches as have been sent to linux-distros on Jan. 21st. They're against mainline Linux (0001-*.patch) or backports for all affected kernels (backport-*.patch) respectively. They should soon be merged into the corresponding Linux kernel trees. CVE-2022-22942 was allocated for this issue. Thanks, Mathias
Attachment:
backport-5.16-drm-vmwgfx-Fix-stale-file-descriptors-on-failed-user.patch
Description:
Attachment:
backport-4.19-drm-vmwgfx-Fix-stale-file-descriptors-on-failed-user.patch
Description:
Attachment:
0001-drm-vmwgfx-Fix-stale-file-descriptors-on-failed-user.patch
Description:
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
Current thread:
- CVE-2022-22942: Linux kernel: wrong file descriptor handling in the vmwgfx driver Mathias Krause (Jan 27)
- Re: CVE-2022-22942: Linux kernel: wrong file descriptor handling in the vmwgfx driver Mathias Krause (Jan 27)
- Re: CVE-2022-22942: Linux kernel: wrong file descriptor handling in the vmwgfx driver Mathias Krause (Feb 03)
- Re: CVE-2022-22942: Linux kernel: wrong file descriptor handling in the vmwgfx driver Mathias Krause (Jan 27)