2133450 – (CVE-2022-36280) CVE-2022-36280 kernel: vmwgfx: out-of-bounds write in vmw_kms_cursor_snoop

Bug 2133450 (CVE-2022-36280) - CVE-2022-36280 kernel: vmwgfx: out-of-bounds write in vmw_kms_cursor_snoop

Summary: CVE-2022-36280 kernel: vmwgfx: out-of-bounds write in vmw_kms_cursor_snoop

Keywords:
Status:	NEW
Alias:	CVE-2022-36280
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2115902 2125474 2133471 2133472 2133473 2133474 2133475
Blocks:	2126143
TreeView+	depends on / blocked

Reported:	2022-10-10 13:44 UTC by Mauro Matteo Cascella
Modified:	2023-09-19 14:13 UTC (History)
CC List:	51 users (show)
Fixed In Version:	kernel 6.2-rc1
Doc Type:	If docs needed, set a value
Doc Text:	An out-of-bounds memory write vulnerability was found in the Linux kernel's vmwgfx driver in vmw_kms_cursor_snoop due to a missing check of a memcpy length. This flaw allows a local, unprivileged attacker with access to either the /dev/dri/card0 or /dev/dri/rendererD128 and able to issue an ioctl() on the resulting file descriptor, to crash the system, causing a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Mauro Matteo Cascella 2022-10-10 13:44:14 UTC

An out-of-bounds memory write vulnerability was found in the Linux kernel's vmwgfx driver in vmw_kms_cursor_snoop, due to missing check of a memcpy length. Systems making use of the vmwgfx driver are potentially affected by this flaw. Exploiting the bug would require an attacker to have access to either /dev/dri/card0 or /dev/dri/rendererD128 and be able to issue an ioctl() on the resulting file descriptor. Under certain circumstances a local unprivileged user could use this flaw to crash the system, causing a denial of service.

Reference:
https://bugzilla.openanolis.cn/show_bug.cgi?id=2071

Comment 1 Mauro Matteo Cascella 2022-10-10 15:16:37 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2133472]

Comment 11 Justin M. Forbes 2023-04-06 16:23:08 UTC

This was fixed for Fedora with the 6.0.18 stable kernel update.

Comment 13 Mauro Matteo Cascella 2023-06-15 18:00:06 UTC

Upstream fix:
https://github.com/torvalds/linux/commit/4cf949c7fafe21e085a4ee386bb2dade9067316e

Comment 14 Mauro Matteo Cascella 2023-06-15 18:02:01 UTC

This issue was fixed upstream in version 6.2-rc1. The kernel packages as shipped in the following Red Hat products were previously updated to a version that contains the fix via the following errata:

kernel in Red Hat Enterprise Linux 9
https://access.redhat.com/errata/RHSA-2023:2458

kernel-rt in Red Hat Enterprise Linux 9
https://access.redhat.com/errata/RHSA-2023:2148

Note You need to log in before you can comment on or make changes to this bug.

acaringi
adscvr
airlied
alciregi
bhu
brdeoliv
chwhite
crwood
ddepaula
debarbos
dvlasenk
ezulian
hdegoede
hkrzesin
hpa
jarod
jarodwilson
jburrell
jfaracco
jferlan
jforbes
jglisse
jlelli
joe.lawrence
jonathan
josef
jshortt
jstancek
jwboyer
jwyatt
kcarcia
kernel-maint
kernel-mgr
kraxel
lgoncalv
linville
lleshchi
lzampier
masami256
mchehab
ndegraef
nmurray
ptalbert
qzhao
rvrbovsk
scweaver
steved
tyberry
vkumar
walters
williams