HIGH
drm/vmwgfx Translate Pointer Uninitialized Use
CVE-2026-23317
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Return the correct value in vmw_translate_ptr functions Before the referenced fixes these functions used a lookup function that returned a pointer. This was changed to another lookup function that returned an error code with the pointer becoming an out parameter. The error path when the lookup failed was not changed to reflect this change and the code continued to return the PTR_ERR of the now uninitialized pointer. This could cause the vmw_translate_ptr functions to return success when they actually failed causing further uninitialized and OOB accesses.
02KernelScan AI Analysis
Risk summary
A programming error in the VMware graphics driver could cause memory corruption when GPU command buffers reference invalid objects. If the lookup fails but the function incorrectly reports success, subsequent code may attempt to use uninitialized pointers, potentially leading to system crashes or memory corruption. This affects systems using VMware graphics with applications that submit GPU commands.
Vulnerability analysis
Root Cause: During a refactoring in commit a309c7194e8a, the vmw_translate_mob_ptr and vmw_translate_guest_ptr functions were changed to use vmw_user_bo_lookup() which returns an error code with the pointer as an out parameter, instead of the previous lookup function that returned a pointer directly. However, the error handling paths were not updated accordingly - they continued to call PTR_ERR() on the now uninitialized vmw_bo pointer variable instead of returning the actual error code from the lookup function.
Attack Surface: This vulnerability affects the VMware graphics driver's command buffer execution path. It requires local access with the ability to submit GPU commands through the DRM interface, typically requiring graphics device access permissions. The bug could lead to out-of-bounds memory accesses when the translate functions incorrectly return success despite lookup failures.
Fix Mechanism: The patch corrects the error handling by returning the actual error code 'ret' from vmw_user_bo_lookup() instead of calling PTR_ERR() on the uninitialized vmw_bo pointer. This ensures that lookup failures are properly propagated as error codes rather than potentially returning success (0) from an uninitialized pointer value.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.167 | ce3a5cf13978 |
| 6.12 | 6.12.77 | 36cb28b6d303 |
| 6.18 | 6.18.17 | 531f45589787 |
| 6.19 | 6.19.7 | 149f028772fa |
| 6.6 | 6.6.130 | 7e55d0788b36 |
| mainline | 7.0 | 5023ca80f958 |