Hello, I am reporting a security vulnerability discovered during a kernel security audit of Linux 7.0.12+kali-rt-amd64. This report is submitted under coordinated disclosure. Vulnerability Summary An integer overflow exists in the cur_bo_offset accumulation loop inside vmw_surface_define_ioctl() in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c, line 794. The loop iterates up to 144 times (DRM_VMW_MAX_SURFACE_FACES × DRM_VMW_MAX_MIP_LEVELS) accumulating per-mip-level buffer sizes into a uint32_t variable without any overflow check. The resulting wrapped value is then used as guest_memory_size to allocate the backing buffer object (BO), creating a severe size discrepancy between the allocated BO and the surface the GPU expects to access. Affected Component
* File: drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
* Function: vmw_surface_define_ioctl()
* Line: 794
* Kernel tested: Linux 7.0.12+kali-rt-amd64
Vulnerable Code
c
cur_bo_offset = 0; /* uint32_t — no overflow protection */
for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) {
for (j = 0; j < metadata->mip_levels[i]; ++j) {
cur_offset->bo_offset = cur_bo_offset;
cur_bo_offset += vmw_surface_get_image_buffer_size( /* line 794 */
desc, cur_size, stride); /* NO check_add_overflow() */
}
}
res->guest_memory_size = cur_bo_offset; /* stored wrapped value */
Proof of Concept
Using format 40 (SVGA3D_A16_B16_G16_R16, 8 bytes/pixel), width=8192, 6 faces
and 24 mip levels:
* Real surface size (u64): 4,294,967,760 bytes (~4.29 GB)
* Wrapped guest_memory_size (u32): 464 bytes
* BO allocated: 464 bytes
* Surface SID returned by kernel: 53036 (no error returned)
When EXECBUF SURFACE_DMA is subsequently issued, the host attempts to construct
a 3-level MOB page table for the 4.29 GB surface. This exceeds vmwgfx's 2-level
limit, triggering BUG_ON(mob->pt_level > 2) in vmwgfx_mob.c:518 and causing an
immediate kernel panic from an unprivileged process in the video group.
Impact
* Denial of Service (kernel panic) — confirmed on VMware Workstation Pro
* Potential out-of-bounds write in environments without the pt_level guard
(e.g., ESXi/vSphere)
* Access vector: local user in the video group, no root privileges required
Suggested Fix
c
u32 img_size = vmw_surface_get_image_buffer_size(desc, cur_size, stride);
if (check_add_overflow(cur_bo_offset, img_size, &cur_bo_offset)) {
ret = -EINVAL;
goto out_invalid_size;
}
Related CVEs
* CVE-2017-7294 — Prior integer overflow in the same function
(vmw_surface_define_ioctl), fixed in kernel 4.10.6. The current bug is a
distinct variant in the accumulation path that was not addressed by that fix.
* CVE-2025-40277 — Recent integer overflow in vmw_cmd_check (vmwgfx).
Attachments
* poc_vmwgfx_bug6_final.c — self-contained PoC; compile with gcc -O0 -o poc
poc_vmwgfx_bug6_final.c and run as a user in the video group.
I am available to provide additional technical details, logs, or testing
assistance. I request coordinated disclosure with a standard 90-day embargo.
Regards,
Fernando Maia and Renan Malafati
Security Researcher's
<<attachment: poc_vmwgfx_bug6_final.zip>>
