CVE-2022-22942: Linux kernel: wrong file descriptor handling in the vmwgfx driver

[Mathias Krause <minipli () grsecurity net>]

Hi!

A vulnerability was found in the vmwgfx driver that allows unprivileged
users to gain access to files opened by other processes on the system
through a dangling 'file' pointer.

Exploiting this vulnerability requires an attacker to have access to
either /dev/dri/card0 or /dev/dri/rendererD128 and be able to issue an
ioctl() on the resulting file descriptor.

Linux kernels making use of the vmwgfx driver and containing commit
c906965dee22 ("drm/vmwgfx: Add export fence to file descriptor support")
are affected, which is v4.14+.

If the vmwgfx driver isn't loaded, your system isn't affected.

Systems using the VMWare graphics card emulated by QEMU (-vga vmware)
aren't affected either, as these lack a required feature that makes the
driver fail to load.

Attached are patches as have been sent to linux-distros on Jan. 21st.
They're against mainline Linux (0001-*.patch) or backports for all
affected kernels (backport-*.patch) respectively. They should soon be
merged into the corresponding Linux kernel trees.

CVE-2022-22942 was allocated for this issue.

Thanks,
Mathias

Attachment: backport-5.16-drm-vmwgfx-Fix-stale-file-descriptors-on-failed-user.patch
Description:

Attachment: backport-4.19-drm-vmwgfx-Fix-stale-file-descriptors-on-failed-user.patch
Description:

Attachment: 0001-drm-vmwgfx-Fix-stale-file-descriptors-on-failed-user.patch
Description:

Attachment: OpenPGP_signature
Description: OpenPGP digital signature