Safa
Safa
All posts

CVE-2024-36960 Advisory: Details & Mitigation | SAFA Team

Our team has recently disclosed a vulnerability to Zero Day Initiative (ZDI) in the Linux Kernel’s vmwgfx driver, identified as CVE-2024-36960. This issue, with a CVSS score of 6.7, involves an out-of-bounds (OOB) read that could lead to sensitive information disclosure.

CVE-2024-36960 Advisory: Details & Mitigation | SAFA Team

Introduction

Our team has recently disclosed a vulnerability to Zero Day Initiative (ZDI) in the Linux Kernel’s vmwgfx driver, identified as CVE-2024-36960. This issue, with a CVSS score of 6.7, involves an out-of-bounds (OOB) read that could lead to sensitive information disclosure.

Vulnerability Details

The flaw affects the vmwgfx driver, which is responsible for managing VMware graphics within the Linux Kernel. The vulnerability arises from improper validation of user-supplied data related to fence events. The driver mishandles the length parameter of the drm_event, causing it to read beyond the allocated memory buffer.

More precisely the vulnerability occurs when the length of the

drm_event
is set to the size of the parent structure rather than the size of the
drm_vmw_event_fence
structure, which is supposed to be read. The
drm_read
function, which can be invoked through the read() system call, uses this length parameter to copy the event to user space. This results in an out of bounds slab read and a kernel heap leak.

The fix for the vulnerability can be found below:

1
event->event.base.type = DRM_VMW_EVENT_FENCE_SIGNALED;
2
-event->event.base.length = sizeof(*event);
3
+event->event.base.length = sizeof(event->event);
4
event->event.user_data = user_data;
5
ret = drm_event_reserve_init(dev, file_priv, &event->base, &event->event.base);

This logic shows how the

event->event.base.length
was initially set incorrectly to the size of the parent structure (
*event
) instead of the correct
event->event
size, which leads to the out-of-bounds read.

Patch and Resolution

The problem was resolved through a patch submitted by Zack Rusin. The patch corrects the length parameter to match the size of the

drm_vmw_event_fence
structure, mitigating the risk of out-of-bounds reads. The fix has been incorporated into the kernel with the following commit.

Impact and Mitigation

Users of affected Linux Kernel versions are advised to update their systems to the latest version which includes this patch.

Stay up to date with all things SAFA
Insights

Related posts

More content you might like

View all
SAFA and TeamT5 Take Part in Pwn2Own’s Vulnerability Demonstration

Cybersecurity is always a work in progress. That’s why SAFA and our key partner, TeamT5, regularly participate in ethical hacking events. They provide a venue to learn about current real-world security issues and sharpen our skills in solving them. This is why we traveled to Toronto, Canada, for the most recent Pwn2Own competition. 

SAFA Team
Sep 16, 20248 min read