Date: Tue, 13 Jun 2017 15:39:26 +1200 From: Murray McAllister <murray.mcallister@...omniasec.com> To: oss-security@...ts.openwall.com Subject: Linux kernel: drm/vmwgfx: 4 byte read of uninitialised kernel memory in vmw_gb_surface_define_ioctl() The vmw_gb_surface_define_ioctl() function (accessible via DRM_IOCTL_VMW_GB_SURFACE_CREATE) defines a backup_handle variable but does not give it an initial value. If you attempt to create a GB surface, and provide a previously-allocated DMA buffer to be used as a backup buffer, the backup_handle variable does not get written to and is then later returned to user-space. Upstream commit: https://github.com/torvalds/linux/commit/07678eca2cf9c9a18584e546c2b2a0d0c9a3150c CVE: I'll request one now and reply once I have one. Chur
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ