Red Hat Bugzilla – Bug 1435719
CVE-2017-7261 kernel: drm/vmwgfx: check that number of mip levels is above zero
Last modified: 2017-04-01 13:33:32 EDT
In was found that in the Linux kernel in vmw_surface_define_ioctl() function in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a 'num_sizes' parameter is assigned a user-controlled value which is not checked if it is zero. This is used in a call to kmalloc() and later leads to dereferencing ZERO_SIZE_PTR, which in turn leads to a GPF and possibly to a kernel panic. References: http://seclists.org/oss-sec/2017/q1/684 Proposed patch: https://lists.freedesktop.org/archives/dri-devel/2017-March/136814.html http://marc.info/?t=149037004200005&r=1&w=2
Research: Linux VMware guests have the device file /dev/dri/renderD128 (or Dxxx) which can be used to send ioctl()s to VMWare graphics driver, [vmwgfx] module. On some distributions this device is readable and writable by unprivileged users. On RHEL and Fedora this is restricted to root:video only, but console graphics user (i.e. one used graphic login at the system console) is also granted permissions to read/write to this file. In vmw_surface_define_ioctl(), a 'num_sizes' parameter is assigned a value one can control through 'mip_levels' array provided from a userspace. This gets checked to ensure it is not too big, but it is not checked if it is zero: > num_sizes = 0; > for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) > num_sizes += req->mip_levels[i]; > > if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * > DRM_VMW_MAX_MIP_LEVELS) > return -EINVAL; This is later used in a call to memdup_user() and kmalloc_array(): > srf->num_sizes = num_sizes; > srf->sizes = memdup_user((struct drm_vmw_size __user *)(unsigned long) > req->size_addr, > sizeof(*srf->sizes) * srf->num_sizes); > srf->offsets = kmalloc_array(srf->num_sizes, > sizeof(*srf->offsets), > GFP_KERNEL); which won't return NULL, but does return ZERO_SIZE_PTR, refer to https://lwn.net/Articles/236920/ for background information on this: > #define ZERO_SIZE_PTR ((void *)16) Later ZERO_SIZE_PTR is dereferenced which leads to a GPF and possibly to a kernel panic: > srf->base_size = *srf->sizes;
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1435740]
Statement: This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 as the code with the flaw is not present in this product. This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG-2. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
The bug was discovered by Murray McAllister from Insomnia Security, who requested not to properly credit him or mention in an advisory. Thanks, Murray!
kernel-4.11.0-0.rc4.git0.1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.