Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 13 Jun 2017 15:39:26 +1200
From: Murray McAllister <murray.mcallister@...omniasec.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel: drm/vmwgfx: 4 byte read of uninitialised kernel memory
 in vmw_gb_surface_define_ioctl()

The vmw_gb_surface_define_ioctl() function (accessible via
DRM_IOCTL_VMW_GB_SURFACE_CREATE) defines a backup_handle variable but
does not give it an initial value. If you attempt to create a GB
surface, and provide a previously-allocated DMA buffer to be used as a
backup buffer, the backup_handle variable does not get written to and is
then later returned to user-space.

Upstream commit:

https://github.com/torvalds/linux/commit/07678eca2cf9c9a18584e546c2b2a0d0c9a3150c

CVE:

I'll request one now and reply once I have one.

Chur

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ