vmwgfx Driver File Descriptor Handling Privilege Escalation
If the vmwgfx driver fails to copy the fence_rep object to userland, it
tries to recover by deallocating the (already populated) file descriptor.
This is wrong, as the fd gets released via put_unused_fd() which shouldn't
be used, as the fd table slot was already populated via the previous call
to fd_install(). This leaves userland with a valid fd table entry pointing
to a freed file object. The authors use this bug to overwrite a SUID
binary with their payload and gain root. Linux kernel versions 4.14-rc1 - 5.17-rc1 are vulnerable. Successfully tested against Ubuntu 22.04.01 with kernel 5.13.12-051312-generic.
https://packetstormsecurity.com/files/170833/vmwgfx_fd_priv_esc.rb.txt
Wed, 01 Feb 2023 17:54:32 GMT
________________________________
--- The information is for inforamtional purposes only.
* Origin: Read us with
http://winpoint.org JID:
rs@captflint.com