Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 29 Mar 2017 07:10:35 -0400 (EDT)
From: Vladis Dronov <vdronov@...hat.com>
To: oss-security@...ts.openwall.com
Cc: liqiang6-s@....cn
Subject: CVE-2017-7294: kernel: drm/vmwgfx: limit mip levels in
 vmw_surface_define_ioctl()

hello,

CVE-2017-7294 was assigned for another flaw in [vmwgfx] driver.

> Below is the CVE ID for this new vulnerability (we understand that it
> is completely different from CVE-2017-7261, even though the affected
> function is the same).
>
> [Suggested description]
> In was found that in the Linux kernel in vmw_surface_define_ioctl()
> function in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a
> 'req->mip_levels[i]' are user-controlled values which are not checked
> for the upper limit and are used to calculate 'num_sizes' parameter.
> Both the 'num_sizes' and the array are 'uint32_t' so it is possible to
> make 'num_sizes' overflow. Later 'mip_levels[i]' are used as the loop
> count. This can lead an oob-write and/or kernel lockup or crash. Due
> to the nature of the flaw, privilege escalation cannot be fully ruled
> out.
> 
> ------------------------------------------
> 
> [Additional Information]
> Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.
> 
> ------------------------------------------
> 
> [VulnerabilityType Other]
> CWE-20
> 
> ------------------------------------------
> 
> [Vendor of Product]
> kernel.org: Linux kernel
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> Linux kernel - all upto 4.11-rc3
> 
> ------------------------------------------
> 
> [Affected Component]
> vmw_surface_define_ioctl() function, drivers/gpu/drm/vmwgfx/vmwgfx_surface.c file
> 
> ------------------------------------------
> 
> [Attack Type]
> Local
> 
> ------------------------------------------
> 
> [Impact Denial of Service]
> true
> 
> ------------------------------------------
> 
> [Impact Escalation of Privileges]
> true
> 
> ------------------------------------------
> 
> [Attack Vectors]
> to exploit vulnerability a local user have to run a binary which makes certain ioctl() call
> 
> ------------------------------------------
> 
> [Reference]
> https://lists.freedesktop.org/archives/dri-devel/2017-March/137094.html
> https://bugzilla.redhat.com/show_bug.cgi?id=1436798
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Discoverer]
> Li Qiang of the Gear Team, Qihoo 360 Inc
>
> Use CVE-2017-7294.
>
> CVE Assignment Team
> M/S M300, 202 Burlington Road, Bedford, MA 01730 USA

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ