'[oss-security] CVE-2017-7346: kernel: drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_d'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2017-7346: kernel: drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_d
From:       Vladis Dronov <vdronov () redhat ! com>
Date:       2017-03-31 10:39:03
Message-ID: 1716857341.9702917.1490956743135.JavaMail.zimbra () redhat ! com
[Download RAW message or body]

hello,
CVE-2017-7346 was assigned for another flaw in [vmwgfx] driver.

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

> [Suggested description]
> The vmw_gb_surface_define_ioctl function in
> drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through
> 4.10.7 does not validate certain levels data, which allows local users
> to cause a denial of service (system hang) via a crafted ioctl call
> for a /dev/dri/renderD* device.
> 
> ------------------------------------------
> 
> [Additional Information]
> It was found that in the Linux kernel in vmw_gb_surface_define_ioctl()
> function in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a
> 'req->mip_levels' is a user-controlled value which is later used as a
> loop count limit. This allows local unprivileged user to cause a
> denial of service by a kernel lockup via a crafted ioctl call for a
> /dev/dri/renderD* device.
> 
> ------------------------------------------
> 
> [VulnerabilityType Other]
> CWE-20
> 
> ------------------------------------------
> 
> [Vendor of Product]
> kernel.org: Linux kernel
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> Linux kernel - all upto 4.11-rc4
> 
> ------------------------------------------
> 
> [Affected Component]
> vmw_gb_surface_define_ioctl() function, drivers/gpu/drm/vmwgfx/vmwgfx_surface.c file
> 
> ------------------------------------------
> 
> [Attack Type]
> Local
> 
> ------------------------------------------
> 
> [Impact Denial of Service]
> true
> 
> ------------------------------------------
> 
> [Attack Vectors]
> to exploit vulnerability a local user have to run a binary which makes
> certain ioctl() call. to exploit vulnerability a local unprivileged
> user has to have read/write permissions to the '/dev/dri/renderD*'
> file.
> 
> ------------------------------------------
> 
> [Reference]
> https://bugzilla.redhat.com/show_bug.cgi?id=1437431
> https://lists.freedesktop.org/archives/dri-devel/2017-March/137429.html
> http://marc.info/?l=linux-kernel&m=149086968410117&w=2
>
> Use CVE-2017-7346.
>
> CVE Assignment Team
> M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic