oss-sec mailing list archives
Re: Linux kernel: drm/vmwgfx: 4 byte read of uninitialised kernel memory in vmw_gb_surface_define_ioctl()
From: Murray McAllister <murray.mcallister () insomniasec com>
Date: Wed, 14 Jun 2017 09:24:26 +1200
On 13/06/17 15:39, Murray McAllister wrote:
The vmw_gb_surface_define_ioctl() function (accessible via DRM_IOCTL_VMW_GB_SURFACE_CREATE) defines a backup_handle variable but does not give it an initial value. If you attempt to create a GB surface, and provide a previously-allocated DMA buffer to be used as a backup buffer, the backup_handle variable does not get written to and is then later returned to user-space. Upstream commit: https://github.com/torvalds/linux/commit/07678eca2cf9c9a18584e546c2b2a0d0c9a3150c CVE: I'll request one now and reply once I have one.
MITRE assigned CVE-2017-9605. Thanks
Current thread:
- Linux kernel: drm/vmwgfx: 4 byte read of uninitialised kernel memory in vmw_gb_surface_define_ioctl() Murray McAllister (Jun 13)
- Re: Linux kernel: drm/vmwgfx: 4 byte read of uninitialised kernel memory in vmw_gb_surface_define_ioctl() Murray McAllister (Jun 13)