CVE-2017-5576 Linux CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and operators of systems that include the VideoCore (vc4) DRM driver should pay attention, especially where local users can access the affected device interfaces.

Technical summary

NVD describes CVE-2017-5576 as an integer overflow in vc4_get_bcl in drivers/gpu/drm/vc4/vc4_gem.c. The issue is triggered through a crafted size value in a VC4_SUBMIT_CL ioctl call. The supplied NVD criteria mark Linux kernel versions from 4.5 up to, but not including, 4.9.7 as vulnerable, and the weakness is mapped to CWE-190. The CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

High for systems running affected Linux kernels with the VC4 DRM driver enabled; prioritize patching or backporting to 4.9.7 or equivalent fixed releases.

Recommended defensive actions

• Upgrade or backport the upstream fix to Linux kernel 4.9.7 or a vendor release that includes the same patch.
• Confirm whether deployed kernels fall within the vulnerable range identified in the supplied NVD criteria (4.5 through before 4.9.7).
• Review systems that expose the VC4 DRM path to local users and restrict access to the relevant device nodes where practical.
• Use the upstream kernel commit and vendor changelog references in the supplied corpus to verify the fix is present in your build.
• Track any distro-specific advisories or backports for the affected kernel line before considering the issue resolved.

Evidence notes

The supplied NVD record lists CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and CWE-190, with vulnerable Linux kernel versions from 4.5 through before 4.9.7. The reference corpus includes the upstream Linux commit, the Linux 4.9.7 changelog, LKML and oss-security patch discussions, and a Red Hat Bugzilla tracking entry. No KEV entry is present in the provided data.

Official resources