Hello,
I am reporting a security vulnerability discovered during a kernel security 
audit of Linux 7.0.12+kali-rt-amd64. This report is submitted under coordinated 
disclosure.
Vulnerability Summary
An integer overflow exists in the cur_bo_offset accumulation loop inside 
vmw_surface_define_ioctl() in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c, line 
794. The loop iterates up to 144 times (DRM_VMW_MAX_SURFACE_FACES × 
DRM_VMW_MAX_MIP_LEVELS) accumulating per-mip-level buffer sizes into a uint32_t 
variable without any overflow check. The resulting wrapped value is then used 
as guest_memory_size to allocate the backing buffer object (BO), creating a 
severe size discrepancy between the allocated BO and the surface the GPU 
expects to access.
Affected Component

  *   File: drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
  *   Function: vmw_surface_define_ioctl()
  *   Line: 794
  *   Kernel tested: Linux 7.0.12+kali-rt-amd64

Vulnerable Code
c

cur_bo_offset = 0;   /* uint32_t — no overflow protection */
for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) {
    for (j = 0; j < metadata->mip_levels[i]; ++j) {
        cur_offset->bo_offset = cur_bo_offset;
        cur_bo_offset += vmw_surface_get_image_buffer_size(   /* line 794 */
                desc, cur_size, stride);   /* NO check_add_overflow() */
    }
}
res->guest_memory_size = cur_bo_offset;   /* stored wrapped value */

Proof of Concept
Using format 40 (SVGA3D_A16_B16_G16_R16, 8 bytes/pixel), width=8192, 6 faces 
and 24 mip levels:

  *   Real surface size (u64): 4,294,967,760 bytes (~4.29 GB)
  *   Wrapped guest_memory_size (u32): 464 bytes
  *   BO allocated: 464 bytes
  *   Surface SID returned by kernel: 53036 (no error returned)

When EXECBUF SURFACE_DMA is subsequently issued, the host attempts to construct 
a 3-level MOB page table for the 4.29 GB surface. This exceeds vmwgfx's 2-level 
limit, triggering BUG_ON(mob->pt_level > 2) in vmwgfx_mob.c:518 and causing an 
immediate kernel panic from an unprivileged process in the video group.
Impact

  *   Denial of Service (kernel panic) — confirmed on VMware Workstation Pro
  *   Potential out-of-bounds write in environments without the pt_level guard 
(e.g., ESXi/vSphere)
  *   Access vector: local user in the video group, no root privileges required

Suggested Fix
c

u32 img_size = vmw_surface_get_image_buffer_size(desc, cur_size, stride);
if (check_add_overflow(cur_bo_offset, img_size, &cur_bo_offset)) {
    ret = -EINVAL;
    goto out_invalid_size;
}

Related CVEs

  *   CVE-2017-7294 — Prior integer overflow in the same function 
(vmw_surface_define_ioctl), fixed in kernel 4.10.6. The current bug is a 
distinct variant in the accumulation path that was not addressed by that fix.
  *   CVE-2025-40277 — Recent integer overflow in vmw_cmd_check (vmwgfx).

Attachments

  *   poc_vmwgfx_bug6_final.c — self-contained PoC; compile with gcc -O0 -o poc 
poc_vmwgfx_bug6_final.c and run as a user in the video group.

I am available to provide additional technical details, logs, or testing 
assistance. I request coordinated disclosure with a standard 90-day embargo.
Regards,
Fernando Maia and Renan Malafati
Security Researcher's

<<attachment: poc_vmwgfx_bug6_final.zip>>

Reply via email to