CVE CyberSecurity Database News

CVE-2024-50134 - Fixing Linux Kernel Vulnerability in drm/vboxvideo

Poster -

In the Linux kernel, a vulnerability concerning the drm/vboxvideo module has been discovered and resolved. This post will provide details on the vulnerability, code snippets for the fix, and links to original references. The vulnerability in question deals with a fake VLA (Variable Length Array) being used in the vbva_mouse_pointer_shape object, resulting in a potential "memcpy: detected field-spanning write error" warning. The fix replaces this fake VLA with a real one, addressing the underlying problem.

The fix implemented for resolving this vulnerability can be seen below

// Replace the fake VLA at end of the vbva_mouse_pointer_shape shape with a real VLA
struct vbva_mouse_pointer_shape {
    ...
    u8 data[]; // Rest of bytes are for image and mask
};

This change to the code eliminates the use of the fake VLA, which can lead to the error warning detailed in the introduction.

When the vulnerability is present, it results in an error warning similar to the one shown below

[ 13.319813] memcpy: detected field-spanning write (size 16896) of single field "p->data" at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 (size 4)
[ 13.319841] WARNING: CPU: PID: 1105 at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 hgsmi_update_pointer_shape+x192/x1c [vboxvideo]

The resolving patch with the changes discussed in this post can be found at the following link

- Linux Kernel Patch - drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA

Exploit Details

The exploit of this vulnerability requires specific conditions where the memcpy function would attempt to write beyond the bounds of the allocated memory for the vbva_mouse_pointer_shape object. This can potentially lead to data corruption, and in certain rare cases, this could allow an attacker to execute arbitrary code.

Conclusion

The CVE-2024-50134 vulnerability has been resolved with the replacement of the fake VLA in the vbva_mouse_pointer_shape object with a real one, preventing the "memcpy: detected field-spanning write error" warning from occurring. It is advised to update to the patched version of the kernel to mitigate any potential risks associated with this vulnerability.

Timeline

Published on: 11/05/2024 18:15:16 UTC
Last modified on: 11/08/2024 16:15:47 UTC