Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 27 Mar 2017 12:06:49 -0400 (EDT)
From: Vladis Dronov <vdronov@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE: kernel: drm/vmwgfx: check that number of mip levels is above
 zero in in vmw_surface_define_ioctl()

hello,

CVE-2017-7261 was assigned for the following flaw in [vmwgfx] driver.

> [Suggested description]
> The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5
> does not check for a zero value of certain levels data, which
> allows local users to cause a denial of service (ZERO_SIZE_PTR dereference, and
> GPF and possibly panic) via a crafted ioctl call for
> a /dev/dri/renderD* device.
> 
> ------------------------------------------
> 
> [Additional Information]
> In was found that in the Linux kernel in vmw_surface_define_ioctl()
> function in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a
> 'num_sizes' parameter is assigned a user-controlled value which is not
> checked if it is zero. This is used in a call to kmalloc() and later
> leads to dereferencing ZERO_SIZE_PTR, which in turn leads to a GPF and
> possibly to a kernel panic.
> 
> ------------------------------------------
> 
> [VulnerabilityType Other]
> CWE-839
> 
> ------------------------------------------
> 
> [Vendor of Product]
> kernel.org: Linux kernel
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> Linux kernel - all upto 4.11-rc3
> 
> ------------------------------------------
> 
> [Affected Component]
> vmw_surface_define_ioctl() function, drivers/gpu/drm/vmwgfx/vmwgfx_surface.c file
> 
> ------------------------------------------
> 
> [Attack Type]
> Local
> 
> ------------------------------------------
> 
> [Impact Denial of Service]
> true
> 
> ------------------------------------------
> 
> [Attack Vectors]
> to exploit vulnerability a local user have to run a binary which makes certain ioctl() call
> 
> ------------------------------------------
> 
> [Reference]
> https://bugzilla.redhat.com/show_bug.cgi?id=1435719
> https://lists.freedesktop.org/archives/dri-devel/2017-March/136814.html
> http://marc.info/?t=149037004200005&r=1&w=2
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> Use CVE-2017-7261.

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ