New issue
Advanced search Search tips

Issue 737534 link

Starred by 1 user
Status: Archived
Owner:
groeck@chromium.org
Closed: Jul 2017
Cc:
chromeos-kernel-security-bug-access@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: ----
Type: Bug-Security



Sign in to add a comment

CrOS: CVE-2017-9605: Vulnerability reported in Linux kernel

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, Jun 28 2017 
VOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. 

Advisory: CVE-2017-9605
  Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-9605
  CVSS severity score: 4.9/10.0
  Description:

The vmw_gb_surface_define_ioctl function (accessible via DRM_IOCTL_VMW_GB_SURFACE_CREATE) in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.11.4 defines a backup_handle variable but does not give it an initial value. If one attempts to create a GB surface, with a previously allocated DMA buffer to be used as a backup buffer, the backup_handle variable does not get written to and is then later returned to user space, allowing local users to obtain sensitive information from uninitialized kernel memory via a crafted ioctl call.



This bug was filed by http://go/vomit
Please contact us at vomit-team@google.com if you need any assistance.

Comment 1 by vakh@chromium.org, Jun 30 2017

Owner: groeck@chromium.org
Status: Assigned (was: Untriaged)

Comment 2 by vakh@chromium.org, Jun 30 2017

Components: OS>Kernel

Comment 3 by groeck@chromium.org, Jun 30 2017

Summary: CrOS: CVE-2017-9605: Vulnerability reported in Linux kernel (was: CrOS: Vulnerability reported in Linux kernel)
Upstream commit 07678eca2cf9c9a1.

Comment 4 by groeck@chromium.org, Jun 30 2017

Status: Started (was: Assigned)
Project Member

Comment 5 by bugdroid1@chromium.org, Jun 30 2017

Labels: merge-merged-chromeos-4.4
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/53013b900b5e6e8cc550655e1265160e19223395

commit 53013b900b5e6e8cc550655e1265160e19223395
Author: Sinclair Yeh <syeh@vmware.com>
Date: Fri Jun 30 23:02:53 2017

UPSTREAM: drm/vmwgfx: Make sure backup_handle is always valid

When vmw_gb_surface_define_ioctl() is called with an existing buffer,
we end up returning an uninitialized variable in the backup_handle.

The fix is to first initialize backup_handle to 0 just to be sure, and
second, when a user-provided buffer is found, we will use the
req->buffer_handle as the backup_handle.

BUG= chromium:737534 
TEST=Build and run

Change-Id: I684a86b70cec46be9954dbcfb92d5996801cc91a
Cc: <stable@vger.kernel.org>
Reported-by: Murray McAllister <murray.mcallister@insomniasec.com>
Signed-off-by: Sinclair Yeh <syeh@vmware.com>
Reviewed-by: Deepak Rawat <drawat@vmware.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 07678eca2cf9c9a1)
Reviewed-on: https://chromium-review.googlesource.com/557911
Reviewed-by: Sonny Rao <sonnyrao@chromium.org>

[modify] https://crrev.com/53013b900b5e6e8cc550655e1265160e19223395/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
Project Member

Comment 6 by sheriffbot@chromium.org, Jul 1 2017

Status: Fixed (was: Started)
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 7 by sheriffbot@chromium.org, Jul 2 2017

Labels: Restrict-View-SecurityNotify
Project Member

Comment 8 by sheriffbot@chromium.org, Oct 8 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by dchan@chromium.org, Jan 22 2018

Status: Archived (was: Fixed)

Sign in to add a comment