Bug 1437431 - (CVE-2017-7346) CVE-2017-7346 kernel: drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl()
CVE-2017-7346 kernel: drm/vmwgfx: limit the number of mip levels in vmw_gb_su...
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20170330,reported=2...
: Security
Depends On: 1437432 1437862 1437863
Blocks: 1392508
  Show dependency treegraph
 
Reported: 2017-03-30 06:15 EDT by Vladis Dronov
Modified: 2017-06-27 07:43 EDT (History)
34 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
In the Linux kernel's vmw_gb_surface_define_ioctl() function, in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a 'req->mip_levels' is a user-controlled value which is later used as a loop count limit. This allows local unprivileged user to cause a denial of service by a kernel lockup via a crafted ioctl call for a '/dev/dri/renderD*' device.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-03-31 07:28:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
dmesg_vmw_gb_surface_create_softlockup.txt (6.04 KB, text/plain)
2017-03-30 06:42 EDT, Vladis Dronov
no flags Details

  None (edit)
Description Vladis Dronov 2017-03-30 06:15:31 EDT
It was found that in the Linux kernel in vmw_gb_surface_define_ioctl() function in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a 'req->mip_levels' is a user-controlled value which is later used as a loop count limit. This allows local unprivileged user to cause a denial of service by a kernel lockup via a crafted ioctl call for a '/dev/dri/renderD*' device.

References:

http://seclists.org/oss-sec/2017/q1/696

Proposed patch:

https://lists.freedesktop.org/archives/dri-devel/2017-March/137429.html

http://marc.info/?l=linux-kernel&m=149086968410117&w=2

Upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ee9c4e681ec4f58e42a83cb0c22a0289ade1aacf
Comment 1 Vladis Dronov 2017-03-30 06:17:10 EDT
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1437432]
Comment 3 Vladis Dronov 2017-03-30 06:41:31 EDT
Research:

Linux VMware guests have the device file /dev/dri/renderD128 (or Dxxx) which can be used to send ioctl()s to VMWare graphics driver, [vmwgfx] module. On some distributions this device is readable and writable by unprivileged users. On RHEL and Fedora this is restricted to root:video only, but console graphics user  (i.e. one used graphic login at the system console) is also granted permissions to read/write to this file.

In vmw_gb_surface_define_ioctl(), the 'req->mip_levels' parameter is 'uint32_t' and is assigned a value one can control from a userspace. Later in svga3dsurface_get_serialized_size() it is used as a loop count limit. This can lead to a kernel lockup and DoS:

> static inline u32
> svga3dsurface_get_serialized_size(SVGA3dSurfaceFormat format,
>                                   surf_size_struct base_level_size,
>                                   u32 num_mip_levels,
>                                   u32 num_layers)
> ...
>         for (mip = 0; mip < num_mip_levels; mip++) {
Comment 4 Vladis Dronov 2017-03-30 06:42 EDT
Created attachment 1267497 [details]
dmesg_vmw_gb_surface_create_softlockup.txt
Comment 5 Vladis Dronov 2017-03-30 06:50:11 EDT
The bug was discovered by Murray McAllister from Insomnia Security, who requested not to properly credit him or mention in an advisory. Thanks, Murray!
Comment 8 Vladis Dronov 2017-03-31 07:28:16 EDT
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 as the code where the flaw was found is not present in this product.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG-2. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Note You need to log in before you can comment on or make changes to this bug.