Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 31 Mar 2017 06:39:03 -0400 (EDT)
From: Vladis Dronov <vdronov@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2017-7346: kernel: drm/vmwgfx: limit the number of mip levels
 in vmw_gb_surface_define_ioctl()

hello,
CVE-2017-7346 was assigned for another flaw in [vmwgfx] driver.

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

> [Suggested description]
> The vmw_gb_surface_define_ioctl function in
> drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through
> 4.10.7 does not validate certain levels data, which allows local users
> to cause a denial of service (system hang) via a crafted ioctl call
> for a /dev/dri/renderD* device.
> 
> ------------------------------------------
> 
> [Additional Information]
> It was found that in the Linux kernel in vmw_gb_surface_define_ioctl()
> function in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a
> 'req->mip_levels' is a user-controlled value which is later used as a
> loop count limit. This allows local unprivileged user to cause a
> denial of service by a kernel lockup via a crafted ioctl call for a
> /dev/dri/renderD* device.
> 
> ------------------------------------------
> 
> [VulnerabilityType Other]
> CWE-20
> 
> ------------------------------------------
> 
> [Vendor of Product]
> kernel.org: Linux kernel
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> Linux kernel - all upto 4.11-rc4
> 
> ------------------------------------------
> 
> [Affected Component]
> vmw_gb_surface_define_ioctl() function, drivers/gpu/drm/vmwgfx/vmwgfx_surface.c file
> 
> ------------------------------------------
> 
> [Attack Type]
> Local
> 
> ------------------------------------------
> 
> [Impact Denial of Service]
> true
> 
> ------------------------------------------
> 
> [Attack Vectors]
> to exploit vulnerability a local user have to run a binary which makes
> certain ioctl() call. to exploit vulnerability a local unprivileged
> user has to have read/write permissions to the '/dev/dri/renderD*'
> file.
> 
> ------------------------------------------
> 
> [Reference]
> https://bugzilla.redhat.com/show_bug.cgi?id=1437431
> https://lists.freedesktop.org/archives/dri-devel/2017-March/137429.html
> http://marc.info/?l=linux-kernel&m=149086968410117&w=2
>
> Use CVE-2017-7346.
>
> CVE Assignment Team
> M/S M300, 202 Burlington Road, Bedford, MA 01730 USA

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ