Bugzilla – Bug 1203329
VUL-0: CVE-2022-40133: kernel: use-after-free in 'vmw_execbuf_tie_context' in vmxgfx
Last modified: 2022-12-01 07:09:29 UTC
A use-after-free(UAF) vulnerability was found in function
'vmw_execbuf_tie_context' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux
kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This
flaw allows a local attacker with a user account on the system to gain
privilege, causing a denial of service(DoS).
Thomas, this seems to be in your area. Please, handle the bug or eventually assign it to a more appropriate person.
(In reply to Petr Mladek from comment #3)
> Thomas, this seems to be in your area. Please, handle the bug or eventually
> assign it to a more appropriate person.
I keep it on my radar, together with these other CVEs. But there's little information available. (?) The upstream trees for the driver don't have a patch yet.
I cannot access the bug tracked at openalolis.cn. Do we have a login to it?
Thomas, by any chance did you notice anything that could match the CVE description?
(In reply to Jan Kara from comment #5)
> Thomas, by any chance did you notice anything that could match the CVE
Neither for this CVE nor for the others against the vmwgfx driver. The code has not been touched in years and there's nothing on the mailing lists about these CVEs.
I'll reach out to the dev at VMware and ask for his opinion on the matter.
Is there any progress in fixing the bugs in upstream, please?
(In reply to Petr Mladek from comment #7)
> Is there any progress in fixing the bugs in upstream, please?
No. It still stands as it is.