Bug 1435719 (CVE-2017-7261) - CVE-2017-7261 kernel: drm/vmwgfx: check that number of mip levels is above zero
Summary: CVE-2017-7261 kernel: drm/vmwgfx: check that number of mip levels is above zero
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-7261
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1435740 1437874
Blocks: 1392508
TreeView+ depends on / blocked
 
Reported: 2017-03-24 15:18 UTC by Vladis Dronov
Modified: 2022-10-10 12:58 UTC (History)
35 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that in the Linux kernel, in vmw_surface_define_ioctl() function in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a 'num_sizes' parameter is assigned a user-controlled value which is not checked if it is zero. This is used in a call to kmalloc() and later leads to dereferencing ZERO_SIZE_PTR, which in turn leads to a GPF and possibly to a kernel panic.
Clone Of:
Environment:
Last Closed: 2017-03-31 11:55:16 UTC
Embargoed:


Attachments (Terms of Use)

Description Vladis Dronov 2017-03-24 15:18:38 UTC
In was found that in the Linux kernel in vmw_surface_define_ioctl() function in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a 'num_sizes' parameter is assigned a user-controlled value which is not checked if it is zero. This is used in a call to kmalloc() and later leads to dereferencing ZERO_SIZE_PTR, which in turn leads to a GPF and possibly to a kernel panic.

References:

http://seclists.org/oss-sec/2017/q1/684

Proposed patch:

https://lists.freedesktop.org/archives/dri-devel/2017-March/136814.html

http://marc.info/?t=149037004200005&r=1&w=2

Comment 1 Vladis Dronov 2017-03-24 15:53:14 UTC
Research:

Linux VMware guests have the device file /dev/dri/renderD128 (or Dxxx) which can be used to send ioctl()s to VMWare graphics driver, [vmwgfx] module. On some distributions this device is readable and writable by unprivileged users. On RHEL and Fedora this is restricted to root:video only, but console graphics user  (i.e. one used graphic login at the system console) is also granted permissions to read/write to this file.

In vmw_surface_define_ioctl(), a 'num_sizes' parameter is assigned a value
one can control through 'mip_levels' array provided from a userspace. This gets checked to ensure it is not too big, but it is not checked if it is zero:

>        num_sizes = 0;
>        for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
>                num_sizes += req->mip_levels[i];
> 
>        if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
>            DRM_VMW_MAX_MIP_LEVELS)
>                return -EINVAL;

This is later used in a call to memdup_user() and kmalloc_array():

>        srf->num_sizes = num_sizes;
>        srf->sizes = memdup_user((struct drm_vmw_size __user *)(unsigned long)
>                                 req->size_addr,
>                                 sizeof(*srf->sizes) * srf->num_sizes);
>        srf->offsets = kmalloc_array(srf->num_sizes,
>                                     sizeof(*srf->offsets),
>                                     GFP_KERNEL);

which won't return NULL, but does return ZERO_SIZE_PTR, refer to https://lwn.net/Articles/236920/ for background information on this:

> #define ZERO_SIZE_PTR ((void *)16)

Later ZERO_SIZE_PTR is dereferenced which leads to a GPF and possibly to a kernel panic:

>        srf->base_size = *srf->sizes;

Comment 2 Vladis Dronov 2017-03-24 16:03:03 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1435740]

Comment 4 Vladis Dronov 2017-03-24 16:12:12 UTC
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 as the code with the flaw is not present in this product.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG-2. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 6 Vladis Dronov 2017-03-30 10:50:37 UTC
The bug was discovered by Murray McAllister from Insomnia Security, who requested not to properly credit him or mention in an advisory. Thanks, Murray!

Comment 8 Fedora Update System 2017-04-01 17:33:32 UTC
kernel-4.11.0-0.rc4.git0.1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.