Addressing the Linux Kernel vmwgfx Driver Out-Of-Bounds Read Vulnerability (CVE-2024-36960)

Our team has recently disclosed a vulnerability to Zero Day Initiative (ZDI) in the Linux Kernel’s vmwgfx driver, identified as CVE-2024-36960. This issue, with a CVSS score of 6.7, involves an out-of-bounds (OOB) read that could lead to sensitive information disclosure.

Written by

SAFA Team

Published on

Sep 18, 2024

Introduction

Vulnerability Details

The flaw affects the vmwgfx driver, which is responsible for managing VMware graphics within the Linux Kernel. The vulnerability arises from improper validation of user-supplied data related to fence events. The driver mishandles the length parameter of the drm_event, causing it to read beyond the allocated memory buffer.

More precisely the vulnerability occurs when the length of the

drm_event

is set to the size of the parent structure rather than the size of the

drm_vmw_event_fence

structure, which is supposed to be read. The

drm_read

function, which can be invoked through the read() system call, uses this length parameter to copy the event to user space. This results in an out of bounds slab read and a kernel heap leak.

The fix for the vulnerability can be found below:

1
event->event.base.type = DRM_VMW_EVENT_FENCE_SIGNALED;
2
-event->event.base.length = sizeof(*event); 
3
+event->event.base.length = sizeof(event->event); 
4
event->event.user_data = user_data;
5
ret = drm_event_reserve_init(dev, file_priv, &event->base, &event->event.base);

This logic shows how the

event->event.base.length

was initially set incorrectly to the size of the parent structure (

*event

) instead of the correct

event->event

size, which leads to the out-of-bounds read.

Patch and Resolution

The problem was resolved through a patch submitted by Zack Rusin. The patch corrects the length parameter to match the size of the

drm_vmw_event_fence

structure, mitigating the risk of out-of-bounds reads. The fix has been incorporated into the kernel with the following commit.

Impact and Mitigation

Users of affected Linux Kernel versions are advised to update their systems to the latest version which includes this patch.

Insights

SAFA and TeamT5 Take Part in Pwn2Own’s Vulnerability Demonstration

Cybersecurity is always a work in progress. That’s why SAFA and our key partner, TeamT5, regularly participate in ethical hacking events. They provide a venue to learn about current real-world security issues and sharpen our skills in solving them. This is why we traveled to Toronto, Canada, for the most recent Pwn2Own competition.