Bug 1437431 (CVE-2017-7346) - CVE-2017-7346 kernel: drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl()
Summary: CVE-2017-7346 kernel: drm/vmwgfx: limit the number of mip levels in vmw_gb_su...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-7346
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1437432 1437862 1437863
Blocks: 1392508
TreeView+ depends on / blocked
 
Reported: 2017-03-30 10:15 UTC by Vladis Dronov
Modified: 2019-09-29 14:08 UTC (History)
34 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
In the Linux kernel's vmw_gb_surface_define_ioctl() function, in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a 'req->mip_levels' is a user-controlled value which is later used as a loop count limit. This allows local unprivileged user to cause a denial of service by a kernel lockup via a crafted ioctl call for a '/dev/dri/renderD*' device.
Clone Of:
Environment:
Last Closed: 2017-03-31 11:28:16 UTC


Attachments (Terms of Use)
dmesg_vmw_gb_surface_create_softlockup.txt (6.04 KB, text/plain)
2017-03-30 10:42 UTC, Vladis Dronov
no flags Details

Description Vladis Dronov 2017-03-30 10:15:31 UTC
It was found that in the Linux kernel in vmw_gb_surface_define_ioctl() function in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a 'req->mip_levels' is a user-controlled value which is later used as a loop count limit. This allows local unprivileged user to cause a denial of service by a kernel lockup via a crafted ioctl call for a '/dev/dri/renderD*' device.

References:

http://seclists.org/oss-sec/2017/q1/696

Proposed patch:

https://lists.freedesktop.org/archives/dri-devel/2017-March/137429.html

http://marc.info/?l=linux-kernel&m=149086968410117&w=2

Upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ee9c4e681ec4f58e42a83cb0c22a0289ade1aacf

Comment 1 Vladis Dronov 2017-03-30 10:17:10 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1437432]

Comment 3 Vladis Dronov 2017-03-30 10:41:31 UTC
Research:

Linux VMware guests have the device file /dev/dri/renderD128 (or Dxxx) which can be used to send ioctl()s to VMWare graphics driver, [vmwgfx] module. On some distributions this device is readable and writable by unprivileged users. On RHEL and Fedora this is restricted to root:video only, but console graphics user  (i.e. one used graphic login at the system console) is also granted permissions to read/write to this file.

In vmw_gb_surface_define_ioctl(), the 'req->mip_levels' parameter is 'uint32_t' and is assigned a value one can control from a userspace. Later in svga3dsurface_get_serialized_size() it is used as a loop count limit. This can lead to a kernel lockup and DoS:

> static inline u32
> svga3dsurface_get_serialized_size(SVGA3dSurfaceFormat format,
>                                   surf_size_struct base_level_size,
>                                   u32 num_mip_levels,
>                                   u32 num_layers)
> ...
>         for (mip = 0; mip < num_mip_levels; mip++) {

Comment 4 Vladis Dronov 2017-03-30 10:42:57 UTC
Created attachment 1267497 [details]
dmesg_vmw_gb_surface_create_softlockup.txt

Comment 5 Vladis Dronov 2017-03-30 10:50:11 UTC
The bug was discovered by Murray McAllister from Insomnia Security, who requested not to properly credit him or mention in an advisory. Thanks, Murray!

Comment 8 Vladis Dronov 2017-03-31 11:28:16 UTC
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 as the code where the flaw was found is not present in this product.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG-2. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.


Note You need to log in before you can comment on or make changes to this bug.