oss-security - Re: Linux kernel: drm/vmwgfx: 4 byte read of uninitialised kernel memory in vmw_gb_surface_define

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Wed, 14 Jun 2017 09:24:26 +1200
From: Murray McAllister <murray.mcallister@...omniasec.com>
To: oss-security@...ts.openwall.com
Subject: Re: Linux kernel: drm/vmwgfx: 4 byte read of uninitialised kernel
 memory in vmw_gb_surface_define_ioctl()

On 13/06/17 15:39, Murray McAllister wrote:
> The vmw_gb_surface_define_ioctl() function (accessible via
> DRM_IOCTL_VMW_GB_SURFACE_CREATE) defines a backup_handle variable but
> does not give it an initial value. If you attempt to create a GB
> surface, and provide a previously-allocated DMA buffer to be used as a
> backup buffer, the backup_handle variable does not get written to and is
> then later returned to user-space.
> 
> Upstream commit:
> 
> https://github.com/torvalds/linux/commit/07678eca2cf9c9a18584e546c2b2a0d0c9a3150c
> 
> CVE:
> 
> I'll request one now and reply once I have one.
> 

MITRE assigned CVE-2017-9605.

Thanks

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.