| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025111227-CVE-2025-40110-5ca4@gregkh> Date: Wed, 12 Nov 2025 10:07:28 +0900 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-40110: drm/vmwgfx: Fix a null-ptr access in the cursor snooper From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix a null-ptr access in the cursor snooper Check that the resource which is converted to a surface exists before trying to use the cursor snooper on it. vmw_cmd_res_check allows explicit invalid (SVGA3D_INVALID_ID) identifiers because some svga commands accept SVGA3D_INVALID_ID to mean "no surface", unfortunately functions that accept the actual surfaces as objects might (and in case of the cursor snooper, do not) be able to handle null objects. Make sure that we validate not only the identifier (via the vmw_cmd_res_check) but also check that the actual resource exists before trying to do something with it. Fixes unchecked null-ptr reference in the snooping code. The Linux kernel CVE team has assigned CVE-2025-40110 to this issue. Affected and fixed versions =========================== Issue introduced in 3.8 with commit c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 and fixed in 6.6.113 with commit 299cfb5a7deabdf9ecd30071755672af0aced5eb Issue introduced in 3.8 with commit c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 and fixed in 6.12.54 with commit 13c9e4ed125e19484234c960efe5ac9c55119523 Issue introduced in 3.8 with commit c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 and fixed in 6.17.4 with commit b6fca0a07989f361ceda27cb2d09c555d4d4a964 Issue introduced in 3.8 with commit c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 and fixed in 6.18-rc1 with commit 5ac2c0279053a2c5265d46903432fb26ae2d0da2 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-40110 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/299cfb5a7deabdf9ecd30071755672af0aced5eb https://git.kernel.org/stable/c/13c9e4ed125e19484234c960efe5ac9c55119523 https://git.kernel.org/stable/c/b6fca0a07989f361ceda27cb2d09c555d4d4a964 https://git.kernel.org/stable/c/5ac2c0279053a2c5265d46903432fb26ae2d0da2
Powered by blists - more mailing lists