Created attachment 387 [details] poc Description of problem: There is an int overflow vulnerability in vmwgfx driver Linux VMware guests have the device file /dev/dri/renderD128 (or Dxxx) which can be used to send ioctl()s to VMWare graphics driver, [vmwgfx] module. On some distributions this device is readable and writable by unprivileged users Vulnerability location: Drivers/gpu/vmxgfx/vmxgfx_execbuf.c vmw_cmd_dx_set_shader_res Vulnerable code: vmw_view_bindings_add(sw_context, vmw_view_sr, vmw_ctx_binding_sr, cmd->body.type - SVGA3D_SHADERTYPE_MIN, (void *) &cmd[1], num_sr_view, cmd->body.startView); SVGA3D_SHADERTYPE_MIN=1 When cmd->body.type=0, an integer overflow will occur, causing kernel crash Version-Release number of selected component (if applicable): 5.13.0-53 How reproducible: In the linux environment of vmware, compile the poc file and execute Steps to Reproduce: gcc poc.c -o poc ./poc Actual results: DOS Expected results: DOS =*=*=*=*=*=*=*=*= Credit =*=*=*=*=*=*=*=*= ziming zhang(@ezrak1e) from Ant Group Light-Year Security Lab Best Regards, ziming
The content of attachment 387 [details] has been deleted
Hi, this issue was assigned CVE-2022-36402 (I'm not the assigner, just a messenger). Has there been any progress on addressing this issue and/or has this issue been communicated to the upstream kernel developers? Thanks!