Re: [PATCH v2] drm/vmwgfx: Work around VMW_ALLOC_DMABUF

From: Zack Rusin
Date: Thu Feb 23 2023 - 07:50:48 EST

Next message: syzbot: "[syzbot] [ntfs?] kernel BUG in ntfs_iget"
Previous message: patchwork-bot+netdevbpf: "Re: [PATCH net v333 0/4] net: phy: EEE fixes"
In reply to: Meng Tang: "[PATCH v2] drm/vmwgfx: Work around VMW_ALLOC_DMABUF"
Next in thread: Meng Tang: "Re: [PATCH v2] drm/vmwgfx: Work around VMW_ALLOC_DMABUF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2023-02-23 at 15:04 +0800, Meng Tang wrote:
> A privilege escalation vulnerability was found in vmwgfx driver
> in drivers/gpu/drm/vmwgfx/vmwgfx_drv.c in GPU component of Linux
> kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw
> allows a local attacker with a user account on the system to gain
> privilege, causing a denial of service(DoS).
>
> This vulnerability can be quickly verified by the following code
> logic:
> ...
> dri_fd = open("/dev/dri/renderD128", O_RDWR);
> ret = ioctl(dri_fd, 0xC0186441, &arg);
> if (ret == 0) {
> printf("[*] VMW_ALLOC_DMABUF Success!\n");
> }
> ...

This is just regular usage of that ioctl. What's the vulnerability?

>
> Submit this commit to fix it.

No, this is incorrect. You're effectively just disabling the driver for normal
apps/users using OpenGL or any accelerated contexts, which is going to completely
break, well, essentially everything this driver is for. Being able to use ioctl's
that were meant to be used is not a bug.

If you have a proof of concept or at least a description of the vulnerability that
you've found I'd be happy to take a look at it.

z

Next message: syzbot: "[syzbot] [ntfs?] kernel BUG in ntfs_iget"
Previous message: patchwork-bot+netdevbpf: "Re: [PATCH net v333 0/4] net: phy: EEE fixes"
In reply to: Meng Tang: "[PATCH v2] drm/vmwgfx: Work around VMW_ALLOC_DMABUF"
Next in thread: Meng Tang: "Re: [PATCH v2] drm/vmwgfx: Work around VMW_ALLOC_DMABUF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]