CVE-2024-50134

drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA

Replace the fake VLA at end of the vbva_mouse_pointer_shape shape with
a real VLA to fix a "memcpy: detected field-spanning write error" warning:

[ 13.319813] memcpy: detected field-spanning write (size 16896) of single field "p->data" at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 (size 4)
[ 13.319841] WARNING: CPU: 0 PID: 1105 at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 hgsmi_update_pointer_shape+0x192/0x1c0 [vboxvideo]
[ 13.320038] Call Trace:
[ 13.320173] hgsmi_update_pointer_shape [vboxvideo]
[ 13.320184] vbox_cursor_atomic_update [vboxvideo]

Note as mentioned in the added comment it seems the original length
calculation for the allocated and send hgsmi buffer is 4 bytes too large.
Changing this is not the goal of this patch, so this behavior is kept.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/vboxvideo: Reemplazar VLA falso al final de vbva_mouse_pointer_shape con VLA real Reemplace el VLA falso al final de la forma vbva_mouse_pointer_shape con un VLA real para corregir una advertencia "memcpy: error de escritura que abarca el campo detectado": [ 13.319813] memcpy: se detectó una escritura que abarca el campo (tamaño 16896) de un solo campo "p->data" en drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 (tamaño 4) [ 13.319841] ADVERTENCIA: CPU: 0 PID: 1105 en drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 hgsmi_update_pointer_shape+0x192/0x1c0 [vboxvideo] [ [13.320038] Seguimiento de llamadas: [13.320173] hgsmi_update_pointer_shape [vboxvideo] [13.320184] vbox_cursor_atomic_update [vboxvideo] Tenga en cuenta que, como se menciona en el comentario agregado, parece que el cálculo de longitud original para el búfer hgsmi asignado y enviado es 4 bytes más grande. Cambiar esto no es el objetivo de este parche, por lo que se mantiene este comportamiento.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-10-21 CVE Reserved
2024-11-05 CVE Published
2024-11-09 EPSS Updated
2024-11-19 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (7)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/02c86c5d5ef4bbba17d38859c74872825f536617	2024-11-08
https://git.kernel.org/stable/c/75f828e944dacaac8870418461d3d48a1ecf2331	2024-11-08
https://git.kernel.org/stable/c/34a422274b693507025a7db21519865d1862afcb	2024-11-01
https://git.kernel.org/stable/c/7458a6cdaebb3dc59af8578ee354fae78a154c4a	2024-11-01
https://git.kernel.org/stable/c/9eb32bd23bbcec44bcbef27b7f282b7a7f3d0391	2024-11-01
https://git.kernel.org/stable/c/fae9dc12c61ce23cf29d09824a741b7b1ff8f01f	2024-11-01
https://git.kernel.org/stable/c/d92b90f9a54d9300a6e883258e79f36dab53bfae	2024-09-14

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.4.285 Search vendor "Linux" for product "Linux Kernel" and version " < 5.4.285"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.10.229 Search vendor "Linux" for product "Linux Kernel" and version " < 5.10.229"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.15.170 Search vendor "Linux" for product "Linux Kernel" and version " < 5.15.170"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.1.115 Search vendor "Linux" for product "Linux Kernel" and version " < 6.1.115"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.6.59 Search vendor "Linux" for product "Linux Kernel" and version " < 6.6.59"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.11.6 Search vendor "Linux" for product "Linux Kernel" and version " < 6.11.6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.12 Search vendor "Linux" for product "Linux Kernel" and version " < 6.12"		en		Affected