Bug 2075 - There is an UAF vulnerability in vmwgfx driver
Summary: There is an UAF vulnerability in vmwgfx driver
Status: RESOLVED DUPLICATE of bug 5510
Alias: None
Product: Anolis OS 8
Classification: Anolis OS
Component: kernel - anck-5.10 (show other bugs) kernel - anck-5.10
Version: 8.6
Hardware: All Linux
: P3-Medium S3-normal
Target Milestone: ---
Assignee: xiangzao
QA Contact: shuming
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-09-06 14:26 UTC by Ezrak1e
Modified: 2024-01-15 17:59 UTC (History)
5 users (show)

See Also:


Attachments
poc (deleted)
2022-09-06 14:26 UTC, Ezrak1e
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ezrak1e 2022-09-06 14:26:16 UTC
Created attachment 390 [details]
poc

There is an UAF vulnerability in vmwgfx driver
Linux VMware guests have the device file /dev/dri/renderD128 (or Dxxx) which can be used to send ioctl()s to VMWare graphics driver, [vmwgfx] module. On some distributions this device is readable and writable by unprivileged users
Vulnerability location:
Drivers/gpu/vmxgfx/vmxgfx_execbuf.c
vmw_execbuf_tie_context


Vulnerable code:
res = vmw_user_resource_noref_lookup_handle
        (dev_priv, sw_context->fp->tfile, handle,
         user_context_converter);

The returned context object does not increment the reference count
This can cause race condition problems, which can cause UAF problems when the context object is freed
Version-Release number of selected component (if applicable):
5.13.0-53


How reproducible:
In the linux environment of vmware, compile the poc file and execute
Steps to Reproduce:
gcc poc.c -o poc
./poc

Actual results:
DOS

Expected results:
DOS

=*=*=*=*=*=*=*=*=  Credit  =*=*=*=*=*=*=*=*=
ziming zhang(@ezrak1e) from Ant Group Light-Year Security Lab

Best Regards,
ziming
Comment 1 Shiloong admin 2022-09-27 09:59:30 UTC
The content of attachment 390 [details] has been deleted
Comment 2 sbeattie 2023-01-11 13:52:01 UTC
Hi, this issue was assigned CVE-2022-40133 (I'm not the assigner, just a messenger). Has there been any progress on addressing this issue and/or has this issue been communicated to the upstream kernel developers?

Thanks!
Comment 3 谭钦云 alibaba_cloud_group 2024-01-15 17:59:17 UTC
该 bug 是 CVE-2022-40133 ,duplicated

*** This bug has been marked as a duplicate of bug 5510 ***