Created attachment 389 [details] poc Description of problem: There is an UAF vulnerability in vmwgfx driver Linux VMware guests have the device file /dev/dri/renderD128 (or Dxxx) which can be used to send ioctl()s to VMWare graphics driver, [vmwgfx] module. On some distributions this device is readable and writable by unprivileged users Vulnerability location: Drivers/gpu/vmxgfx/vmxgfx_execbuf.c vmw_cmd_res_check Vulnerable code: res = vmw_user_resource_noref_lookup_handle (dev_priv, sw_context->fp->tfile, *id_loc, converter); The returned resource object does not increment the reference count This can cause race condition problems, which can cause UAF problems when the surface object is freed Version-Release number of selected component (if applicable): 5.13.0-53 How reproducible: In the linux environment of vmware, compile the poc file and execute Steps to Reproduce: gcc poc.c -o poc ./poc Actual results: DOS Expected results: DOS =*=*=*=*=*=*=*=*= Credit =*=*=*=*=*=*=*=*= ziming zhang(@ezrak1e) from Ant Group Light-Year Security Lab Best Regards, ziming
The content of attachment 389 [details] has been deleted
Hi, this issue was assigned CVE-2022-38457 (I'm not the assigner, just a messenger). Has there been any progress on addressing this issue and/or has this issue been communicated to the upstream kernel developers? Thanks!