On 2023/2/24 11:13, Zack Rusin wrote:
That's correct. That's the way this works. The ioctl is allocating a buffer,
there's
no infinite space for buffers on a system and, given that your app just
allocates
and never frees buffers, at some point the space will run out and the ioctl will
retur
denial of service(DoS).
This vulnerability can be quickly verified by the following code
logic:
...
dri_fd = open("/dev/dri/renderD128", O_RDWR);
ret = ioctl(dri_fd, 0xC0186441, &arg);
if (ret == 0) {
printf("[*] VMW_ALLOC_DMABUF Success!\n");
}
...
Submit this commit to
denial of service(DoS).
This vulnerability can be quickly verified by the following code
logic:
...
dri_fd = open("/dev/dri/renderD128", O_RDWR);
ret = ioctl(dri_fd, 0xC0186441, &arg);
if (ret == 0) {
printf("[*] VMW_ALLOC_DMABUF Success!\n");
}
...
Submit this commit to
On 2023/2/23 20:50, Zack Rusin wrote:
On Thu, 2023-02-23 at 15:04 +0800, Meng Tang wrote:
A privilege escalation vulnerability was found in vmwgfx driver
in drivers/gpu/drm/vmwgfx/vmwgfx_drv.c in GPU component of Linux
kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This fla
quot; and "psb" to "vega10_psb" to make it more clearly.
The rows longer than 100 columns are involved.
Signed-off-by: Meng Tang
---
.../drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c | 68 +++
1 file changed, 38 insertions(+), 30 deletions(-)
diff --git a/driver
