CVE-2022-50667

Vulnerability

CVE-2022-50667 describes a memory leak in the Linux kernel's Direct Rendering Manager (DRM) subsystem for VMware graphics (vmwgfx). The vulnerability resides in the vmw_mksstat_add_ioctl() function. When the kernel attempts to copy a description string from userspace, if that copy operation fails (e.g., due to an invalid pointer or memory access), the function returns -EFAULT -EFAULT` without freeing the page that was already allocated for the instance descriptor. This results in a memory leak, as the allocated page is never released back to the system [1][2].

Exploitation

To trigger this vulnerability, an attacker must have local access to the system and the ability to invoke the vmw_mksstat_add_ioctl() ioctl call, which requires appropriate privileges (typically root or CAP_SYS_ADMIN). The attack surface is limited to local users who can interact with the VMware graphics driver. The failure condition is met by providing a malformed or inaccessible userspace pointer for the description string, causing the copy operation to fail. No special hardware or network access is needed beyond local shell access [1][1][2].

Impact

A successful exploitation leads to a gradual depletion of kernel memory due to the unreleased page. Over time, this memory leak can cause system instability, denial of service (DoS), or resource exhaustion for other processes. The vulnerability does not directly allow privilege escalation or arbitrary code execution, but it can degrade system performance and availability [1][2].

Mitigation

The fix for this vulnerability was included in the Linux kernel stable releases. The patch ensures that the allocated page is freed before returning an error when the copy from userspace fails. Users should update their kernel to a version containing the commit that addresses this issue. No workaround is available other than applying the kernel update [1][2].