CVE-2024-36960 Advisory: Details & Mitigation | SAFA Team
Our team has recently disclosed a vulnerability to Zero Day Initiative (ZDI) in the Linux Kernel’s vmwgfx driver, identified as CVE-2024-36960. This issue, with a CVSS score of 6.7, involves an out-of-bounds (OOB) read that could lead to sensitive information disclosure.
Introduction
Our team has recently disclosed a vulnerability to Zero Day Initiative (ZDI) in the Linux Kernel’s vmwgfx driver, identified as CVE-2024-36960. This issue, with a CVSS score of 6.7, involves an out-of-bounds (OOB) read that could lead to sensitive information disclosure.
Vulnerability Details
The flaw affects the vmwgfx driver, which is responsible for managing VMware graphics within the Linux Kernel. The vulnerability arises from improper validation of user-supplied data related to fence events. The driver mishandles the length parameter of the drm_event, causing it to read beyond the allocated memory buffer.
More precisely the vulnerability occurs when the length of the
is set to the size of the parent structure rather than the size of thedrm_event
structure, which is supposed to be read. Thedrm_vmw_event_fence
function, which can be invoked through the read() system call, uses this length parameter to copy the event to user space. This results in an out of bounds slab read and a kernel heap leak.drm_read
The fix for the vulnerability can be found below:
1event->event.base.type = DRM_VMW_EVENT_FENCE_SIGNALED;2-event->event.base.length = sizeof(*event);3+event->event.base.length = sizeof(event->event);4event->event.user_data = user_data;5ret = drm_event_reserve_init(dev, file_priv, &event->base, &event->event.base);
This logic shows how the
was initially set incorrectly to the size of the parent structure (event->event.base.length
) instead of the correct*event
size, which leads to the out-of-bounds read.event->event
Patch and Resolution
The problem was resolved through a patch submitted by Zack Rusin. The patch corrects the length parameter to match the size of the
structure, mitigating the risk of out-of-bounds reads. The fix has been incorporated into the kernel with the following commit.drm_vmw_event_fence
Impact and Mitigation
Users of affected Linux Kernel versions are advised to update their systems to the latest version which includes this patch.
Related posts
More content you might like