2070 – There is an out-of-bounds write vulnerability in vmwgfx driver

Bug 2070 - There is an out-of-bounds write vulnerability in vmwgfx driver

Summary: There is an out-of-bounds write vulnerability in vmwgfx driver

Status:	NEW

Alias:	None

Product:	Anolis OS 8
Classification:	Anolis OS
Component:	kernel - anck-5.10 (show other bugs)	kernel - anck-5.10
Sub Component:
Version:	8.6
Hardware:	All Linux

Importance:	P3-Medium S3-normal
Target Milestone:	---
Assignee:	xiangzao
QA Contact:	shuming

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2022-09-06 14:10 UTC by Ezrak1e
Modified:	2022-12-05 10:05 UTC (History)
CC List:	0 users

See Also:

Attachments
poc (3.10 KB, text/plain) 2022-09-06 14:10 UTC, Ezrak1e	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ezrak1e 2022-09-06 14:10:47 UTC

Created attachment 385 [details]
poc

Description of problem:

There is an out-of-bounds write vulnerability in vmwgfx driver
Linux VMware guests have the device file /dev/dri/renderD128 (or Dxxx) which can be used to send ioctl()s to VMWare graphics driver, [vmwgfx] module. On some distributions this device is readable and writable by unprivileged users
Vulnerability location:
Drivers/gpu/vmxgfx/vmxgfx_kms.c
vmw_kms_cursor_snoo

Vulnerable code:
memcpy(srf->snooper.image + i * 64,
                   virtual + i * cmd->dma.guest.pitch,
                   box->w * 4);
The length of the copy is not checked, which can cause out-of-bounds writes

Version-Release number of selected component (if applicable):
5.13.0-53


How reproducible:
In the linux environment of vmware, compile the poc file and execute
Steps to Reproduce:
gcc poc.c -o poc
./poc

Actual results:
DOS

Expected results:
DOS

=*=*=*=*=*=*=*=*=  Credit  =*=*=*=*=*=*=*=*=
ziming zhang(@ezrak1e) from Ant Group Light-Year Security Lab

Best Regards,
ziming