Description of problem: There is an out-of-bounds write vulnerability in vmwgfx driver Linux VMware guests have the device file /dev/dri/renderD128 (or Dxxx) which can be used to send ioctl()s to VMWare graphics driver, [vmwgfx] module. On some distributions this device is readable and writable by unprivileged users Vulnerability location: Drivers/gpu/vmxgfx/vmxgfx_kms.c vmw_kms_cursor_snoo Vulnerable code: memcpy(srf->snooper.image + i * 64, virtual + i * cmd->dma.guest.pitch, box->w * 4); The length of the copy is not checked, which can cause out-of-bounds writes Version-Release number of selected component (if applicable): 5.13.0-53 How reproducible: In the linux environment of vmware, compile the poc file and execute Steps to Reproduce: gcc poc.c -o poc ./poc Actual results: DOS Expected results: DOS =*=*=*=*=*=*=*=*= Credit =*=*=*=*=*=*=*=*= ziming zhang(@ezrak1e) from Ant Group Light-Year Security Lab Best Regards, ziming
Created attachment 386 [details] poc
The content of attachment 386 [details] has been deleted
Hi, this issue was assigned CVE-2022-36280 (I'm not the assigner, just a messenger). It appears to have been addressed in upstream commit 4cf949c7fafe ("drm/vmwgfx: Validate the box size for the snooped cursor") (v6.2-rc1). ziming, can you confirm this is the case? Thanks!