2074 2022-09-06 14:23:15 +0000 There is an UAF vulnerability in vmwgfx driver 2023-01-11 13:47:40 +0000 1 1 2 Anolis OS Anolis OS 8 kernel - anck-5.10 8.6 All Linux NEW P3-Medium S3-normal --- 1 ezrakiez xiangzao shile.zhang steve.beattie xiangzao xlpang qingming.su oldest_to_newest 7214 0 389 ezrakiez 2022-09-06 14:23:15 +0000 Created attachment 389 poc Description of problem: There is an UAF vulnerability in vmwgfx driver Linux VMware guests have the device file /dev/dri/renderD128 (or Dxxx) which can be used to send ioctl()s to VMWare graphics driver, [vmwgfx] module. On some distributions this device is readable and writable by unprivileged users Vulnerability location: Drivers/gpu/vmxgfx/vmxgfx_execbuf.c vmw_cmd_res_check Vulnerable code: res = vmw_user_resource_noref_lookup_handle (dev_priv, sw_context->fp->tfile, *id_loc, converter); The returned resource object does not increment the reference count This can cause race condition problems, which can cause UAF problems when the surface object is freed Version-Release number of selected component (if applicable): 5.13.0-53 How reproducible: In the linux environment of vmware, compile the poc file and execute Steps to Reproduce: gcc poc.c -o poc ./poc Actual results: DOS Expected results: DOS =*=*=*=*=*=*=*=*= Credit =*=*=*=*=*=*=*=*= ziming zhang(@ezrak1e) from Ant Group Light-Year Security Lab Best Regards, ziming 7934 1 shile.zhang 2022-09-27 09:58:57 +0000 The content of attachment 389 has been deleted 12350 2 steve.beattie 2023-01-11 13:47:40 +0000 Hi, this issue was assigned CVE-2022-38457 (I'm not the assigner, just a messenger). Has there been any progress on addressing this issue and/or has this issue been communicated to the upstream kernel developers? Thanks! 389 2022-09-06 14:23:15 +0000 2022-09-06 14:23:15 +0000 poc poc.c text/plain 0 ezrakiez