Bug 1435719 (CVE-2017-7261)

Summary: CVE-2017-7261 kernel: drm/vmwgfx: check that number of mip levels is above zero
Product: [Other] Security Response Reporter: Vladis Dronov <vdronov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agordeev, aquini, bhu, carnil, dhoward, esammons, fhrbata, gansalmon, hwkernel-mgr, iboverma, ichavero, itamar, jforbes, jkacur, joelsmith, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, lwang, madhu.chinakonda, matt, mchehab, mcressma, mguzik, nmurray, pholasek, plougher, rt-maint, rvrbovsk, security-response-team, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that in the Linux kernel, in vmw_surface_define_ioctl() function in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a 'num_sizes' parameter is assigned a user-controlled value which is not checked if it is zero. This is used in a call to kmalloc() and later leads to dereferencing ZERO_SIZE_PTR, which in turn leads to a GPF and possibly to a kernel panic.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-31 11:55:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1435740, 1437874    
Bug Blocks: 1392508    

Description Vladis Dronov 2017-03-24 15:18:38 UTC 
In was found that in the Linux kernel in vmw_surface_define_ioctl() function in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a 'num_sizes' parameter is assigned a user-controlled value which is not checked if it is zero. This is used in a call to kmalloc() and later leads to dereferencing ZERO_SIZE_PTR, which in turn leads to a GPF and possibly to a kernel panic.

References:

http://seclists.org/oss-sec/2017/q1/684

Proposed patch:

https://lists.freedesktop.org/archives/dri-devel/2017-March/136814.html

http://marc.info/?t=149037004200005&r=1&w=2
Comment 1 Vladis Dronov 2017-03-24 15:53:14 UTC 
Research:

Linux VMware guests have the device file /dev/dri/renderD128 (or Dxxx) which can be used to send ioctl()s to VMWare graphics driver, [vmwgfx] module. On some distributions this device is readable and writable by unprivileged users. On RHEL and Fedora this is restricted to root:video only, but console graphics user  (i.e. one used graphic login at the system console) is also granted permissions to read/write to this file.

In vmw_surface_define_ioctl(), a 'num_sizes' parameter is assigned a value
one can control through 'mip_levels' array provided from a userspace. This gets checked to ensure it is not too big, but it is not checked if it is zero:

>        num_sizes = 0;
>        for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
>                num_sizes += req->mip_levels[i];
> 
>        if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
>            DRM_VMW_MAX_MIP_LEVELS)
>                return -EINVAL;

This is later used in a call to memdup_user() and kmalloc_array():

>        srf->num_sizes = num_sizes;
>        srf->sizes = memdup_user((struct drm_vmw_size __user *)(unsigned long)
>                                 req->size_addr,
>                                 sizeof(*srf->sizes) * srf->num_sizes);
>        srf->offsets = kmalloc_array(srf->num_sizes,
>                                     sizeof(*srf->offsets),
>                                     GFP_KERNEL);

which won't return NULL, but does return ZERO_SIZE_PTR, refer to https://lwn.net/Articles/236920/ for background information on this:

> #define ZERO_SIZE_PTR ((void *)16)

Later ZERO_SIZE_PTR is dereferenced which leads to a GPF and possibly to a kernel panic:

>        srf->base_size = *srf->sizes;
Comment 2 Vladis Dronov 2017-03-24 16:03:03 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1435740]
Comment 4 Vladis Dronov 2017-03-24 16:12:12 UTC 
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 as the code with the flaw is not present in this product.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG-2. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 6 Vladis Dronov 2017-03-30 10:50:37 UTC 
The bug was discovered by Murray McAllister from Insomnia Security, who requested not to properly credit him or mention in an advisory. Thanks, Murray!
Comment 8 Fedora Update System 2017-04-01 17:33:32 UTC 
kernel-4.11.0-0.rc4.git0.1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.