Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 29 Mar 2017 07:10:35 -0400 (EDT)
From: Vladis Dronov <vdronov@...hat.com>
To: oss-security@...ts.openwall.com
Cc: liqiang6-s@....cn
Subject: CVE-2017-7294: kernel: drm/vmwgfx: limit mip levels in
 vmw_surface_define_ioctl()

hello,

CVE-2017-7294 was assigned for another flaw in [vmwgfx] driver.

> Below is the CVE ID for this new vulnerability (we understand that it
> is completely different from CVE-2017-7261, even though the affected
> function is the same).
>
> [Suggested description]
> In was found that in the Linux kernel in vmw_surface_define_ioctl()
> function in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a
> 'req->mip_levels[i]' are user-controlled values which are not checked
> for the upper limit and are used to calculate 'num_sizes' parameter.
> Both the 'num_sizes' and the array are 'uint32_t' so it is possible to
> make 'num_sizes' overflow. Later 'mip_levels[i]' are used as the loop
> count. This can lead an oob-write and/or kernel lockup or crash. Due
> to the nature of the flaw, privilege escalation cannot be fully ruled
> out.
> 
> ------------------------------------------
> 
> [Additional Information]
> Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.
> 
> ------------------------------------------
> 
> [VulnerabilityType Other]
> CWE-20
> 
> ------------------------------------------
> 
> [Vendor of Product]
> kernel.org: Linux kernel
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> Linux kernel - all upto 4.11-rc3
> 
> ------------------------------------------
> 
> [Affected Component]
> vmw_surface_define_ioctl() function, drivers/gpu/drm/vmwgfx/vmwgfx_surface.c file
> 
> ------------------------------------------
> 
> [Attack Type]
> Local
> 
> ------------------------------------------
> 
> [Impact Denial of Service]
> true
> 
> ------------------------------------------
> 
> [Impact Escalation of Privileges]
> true
> 
> ------------------------------------------
> 
> [Attack Vectors]
> to exploit vulnerability a local user have to run a binary which makes certain ioctl() call
> 
> ------------------------------------------
> 
> [Reference]
> https://lists.freedesktop.org/archives/dri-devel/2017-March/137094.html
> https://bugzilla.redhat.com/show_bug.cgi?id=1436798
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Discoverer]
> Li Qiang of the Gear Team, Qihoo 360 Inc
>
> Use CVE-2017-7294.
>
> CVE Assignment Team
> M/S M300, 202 Burlington Road, Bedford, MA 01730 USA

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.