Bug 1437431 (CVE-2017-7346)

Summary: CVE-2017-7346 kernel: drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl()
Product: [Other] Security Response Reporter: Vladis Dronov <vdronov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agordeev, aquini, arm-mgr, bhu, dhoward, esammons, fhrbata, gansalmon, hwkernel-mgr, iboverma, ichavero, itamar, jforbes, jkacur, joelsmith, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, lwang, madhu.chinakonda, matt, mchehab, mcressma, mguzik, nmurray, pholasek, plougher, rt-maint, rvrbovsk, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20170330,reported=20170330,source=researcher,cvss3=5.5/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H,cwe=CWE-20,rhel-5/kernel=notaffected,rhel-6/kernel=wontfix,rhel-7/kernel=wontfix,rhel-7/kernel-rt=wontfix,mrg-2/realtime-kernel=wontfix,rhelsa-7/arm-kernel=affected,fedora-all/kernel=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
In the Linux kernel's vmw_gb_surface_define_ioctl() function, in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a 'req->mip_levels' is a user-controlled value which is later used as a loop count limit. This allows local unprivileged user to cause a denial of service by a kernel lockup via a crafted ioctl call for a '/dev/dri/renderD*' device.
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-31 07:28:16 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1437432, 1437862, 1437863    
Bug Blocks: 1392508    
Attachments:
Description Flags
dmesg_vmw_gb_surface_create_softlockup.txt none

Description Vladis Dronov 2017-03-30 06:15:31 EDT
It was found that in the Linux kernel in vmw_gb_surface_define_ioctl() function in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a 'req->mip_levels' is a user-controlled value which is later used as a loop count limit. This allows local unprivileged user to cause a denial of service by a kernel lockup via a crafted ioctl call for a '/dev/dri/renderD*' device.

References:

http://seclists.org/oss-sec/2017/q1/696

Proposed patch:

https://lists.freedesktop.org/archives/dri-devel/2017-March/137429.html

http://marc.info/?l=linux-kernel&m=149086968410117&w=2

Upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ee9c4e681ec4f58e42a83cb0c22a0289ade1aacf
Comment 1 Vladis Dronov 2017-03-30 06:17:10 EDT
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1437432]
Comment 3 Vladis Dronov 2017-03-30 06:41:31 EDT
Research:

Linux VMware guests have the device file /dev/dri/renderD128 (or Dxxx) which can be used to send ioctl()s to VMWare graphics driver, [vmwgfx] module. On some distributions this device is readable and writable by unprivileged users. On RHEL and Fedora this is restricted to root:video only, but console graphics user  (i.e. one used graphic login at the system console) is also granted permissions to read/write to this file.

In vmw_gb_surface_define_ioctl(), the 'req->mip_levels' parameter is 'uint32_t' and is assigned a value one can control from a userspace. Later in svga3dsurface_get_serialized_size() it is used as a loop count limit. This can lead to a kernel lockup and DoS:

> static inline u32
> svga3dsurface_get_serialized_size(SVGA3dSurfaceFormat format,
>                                   surf_size_struct base_level_size,
>                                   u32 num_mip_levels,
>                                   u32 num_layers)
> ...
>         for (mip = 0; mip < num_mip_levels; mip++) {
Comment 4 Vladis Dronov 2017-03-30 06:42 EDT
Created attachment 1267497 [details]
dmesg_vmw_gb_surface_create_softlockup.txt
Comment 5 Vladis Dronov 2017-03-30 06:50:11 EDT
The bug was discovered by Murray McAllister from Insomnia Security, who requested not to properly credit him or mention in an advisory. Thanks, Murray!
Comment 8 Vladis Dronov 2017-03-31 07:28:16 EDT
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 as the code where the flaw was found is not present in this product.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG-2. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.