Bug 2277161 (ZDI-CAN-23566)

Summary: kernel: vmwgfx: Out-Of-Bounds read in vmw_event_fence_action_create
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, aquini, bhu, chwhite, cye, cyin, dbohanno, debarbos, dvlasenk, esandeen, ezulian, hkrzesin, jarod, jdenham, jfalempe, jfaracco, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lzampier, mleitner, mmilgram, mstowell, ndegraef, nmurray, ptalbert, rkeshri, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, security-response-team, sukulkar, tglozar, tyberry, wcosta, williams, wmealing, ycote, ykopkova, zhijwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds memory read vulnerability was found in the Linux kernel's vmwgfx driver in vmw_event_fence_action_create. The primitive can leak 72 bytes from the kmalloc-96 cache to user space. It requires render permission to open the device, /dev/dri/renderD128. This flaw allows a local, high privileged attacker with access to /dev/dri/rendererD128, to crash the system, causing a possible data exposure.
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-10-24 04:44:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2277159    

Description Patrick Del Bello 2024-04-25 13:46:09 UTC
OOB read bug exists in vmwgfx.ko, which is vmware linux kernel driver. The primitive can leak 72 bytes from the kmalloc-96 cache to user space.
It requires render permission to open the device, /dev/dri/renderD128

Comment 4 Rohit Keshri 2024-10-24 04:44:44 UTC

*** This bug has been marked as a duplicate of bug 2290408 ***