Subscribe via feed.

vmwgfx Driver File Descriptor Handling Privilege Escalation

Posted by deepcore on February 2, 2023 – 2:53 am

If the vmwgfx driver fails to copy the fence_rep object to userland, it tries to recover by deallocating the (already populated) file descriptor. This is wrong, as the fd gets released via put_unused_fd() which shouldn’t be used, as the fd table slot was already populated via the previous call to fd_install(). This leaves userland with a valid fd table entry pointing to a freed file object. The authors use this bug to overwrite a SUID binary with their payload and gain root. Linux kernel versions 4.14-rc1 – 5.17-rc1 are vulnerable. Successfully tested against Ubuntu 22.04.01 with kernel 5.13.12-051312-generic.


This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.