Vigil@nce - Linux kernel: denial of service via the module drm/vmwgfx
May 2017 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can use an ioctl system call to the video device
driver vmwgfx of the Linux kernel, in order to make the kernel
panic.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Linux,
openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 27/03/2017.
DESCRIPTION OF THE VULNERABILITY
The Linux kernel includes a video driver vmwgfx for guests systems
running under VMware ESX.
This driver defines a device "/dev/dri/renderD128" which accepts
ioctl system calls. However, the routine vmw_surface_define_ioctl()
that implements ioctl calls does not rightly check its argument
"num_sizes". A null value leads to a bad memory allocation, then
to an invalid pointer dereference and a fatal exception. See also
VIGILANCE-VUL-22282 et VIGILANCE-VUL-22298.
A local attacker can therefore use an ioctl system call to the
video device driver vmwgfx of the Linux kernel, in order to make
the kernel panic.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-the-module-drm-vmwgfx-22260