<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2022-22942: Linux kernel: wrong file descriptor handling in the vmwgfx driver
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Mathias Krause <minipli () grsecurity net>
Date: Thu, 27 Jan 2022 21:00:19 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi!
A vulnerability was found in the vmwgfx driver that allows unprivileged
users to gain access to files opened by other processes on the system
through a dangling 'file' pointer.
Exploiting this vulnerability requires an attacker to have access to
either /dev/dri/card0 or /dev/dri/rendererD128 and be able to issue an
ioctl() on the resulting file descriptor.
Linux kernels making use of the vmwgfx driver and containing commit
c906965dee22 ("drm/vmwgfx: Add export fence to file descriptor support")
are affected, which is v4.14+.
If the vmwgfx driver isn't loaded, your system isn't affected.
Systems using the VMWare graphics card emulated by QEMU (-vga vmware)
aren't affected either, as these lack a required feature that makes the
driver fail to load.
Attached are patches as have been sent to linux-distros on Jan. 21st.
They're against mainline Linux (0001-*.patch) or backports for all
affected kernels (backport-*.patch) respectively. They should soon be
merged into the corresponding Linux kernel trees.
CVE-2022-22942 was allocated for this issue.
Thanks,
MathiasAttachment:
backport-5.16-drm-vmwgfx-Fix-stale-file-descriptors-on-failed-user.patch
Description:
Attachment:
backport-4.19-drm-vmwgfx-Fix-stale-file-descriptors-on-failed-user.patch
Description:
Attachment:
0001-drm-vmwgfx-Fix-stale-file-descriptors-on-failed-user.patch
Description:
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2022-22942: Linux kernel: wrong file descriptor handling in the vmwgfx driver Mathias Krause (Jan 27)
Re: CVE-2022-22942: Linux kernel: wrong file descriptor handling in the vmwgfx driver Mathias Krause (Jan 27)
Re: CVE-2022-22942: Linux kernel: wrong file descriptor handling in the vmwgfx driver Mathias Krause (Feb 03)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->