Re: [PATCH] kernel: drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl()

From: Vladis Dronov
Date: Fri Mar 31 2017 - 06:47:34 EST


This flaw was assigned an id CVE-2017-7346 by MITRE:

http://seclists.org/oss-sec/2017/q1/696

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

----- Original Message -----
From: "Vladis Dronov" <vdronov@xxxxxxxxxx>
To: "VMware Graphics" <linux-graphics-maintainer@xxxxxxxxxx>, "Sinclair Yeh" <syeh@xxxxxxxxxx>, "Thomas Hellstrom" <thellstrom@xxxxxxxxxx>, "David Airlie" <airlied@xxxxxxxx>, dri-devel@xxxxxxxxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx
Cc: "Vladis Dronov" <vdronov@xxxxxxxxxx>
Sent: Thursday, March 30, 2017 12:27:12 PM
Subject: [PATCH] kernel: drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl()

The 'req->mip_levels' parameter in vmw_gb_surface_define_ioctl() is
a user-controlled 'uint32_t' value which is used as a loop count limit.
This can lead to a kernel lockup and DoS. Add check for 'req->mip_levels'.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1437431
Signed-off-by: Vladis Dronov <vdronov@xxxxxxxxxx>